Why a regulation mindset can hinder the financial sector’s cyber security posture

Martin Riley, Director of Managed Security Services at Bridewell Consulting

 

In a highly regulated environment, too many financial services organisations rely on regulations as the main driver for their security strategy. However, there is lingering uncertainty around legislative alignment within the UK finance sector, leaving organisations vulnerable to attack. As cyber threats continue to evolve and accelerate, regulation can only go so far in providing motivation for improvement.

The financial services sector is a natural target for cyber attacks. After all, financial gain remains the key driver for cyber crime with almost 90% of breaches motivated by money. Further research shows that banking and financial institutes are 300 times more at risk of cyber attacks than other companies. As the industry undergoes rapid digital and infrastructure transformation, and companies migrate towards highly integrated platforms, criminals continue to exploit the cyber risks and attack vectors created in this new omnichannel environment.

Today, as banks are warned to brace themselves for a potential wave of cyber attacks launched from Russia, the finance industry needs to protect itself against a diverse and escalating range of threats. Standard cyber security measures and reactive regulation-driven mindsets are no longer fit for purpose: the sector must adopt a proactive and intelligent approach to cyber security that is underpinned by a modern security operational approach such as managed detection and response.

 

The urgent need for security transformation

Finance leaders and decision-makers appreciate the gravity of the cyber security threat. And while it may seem wise for them to look towards regulations and legislation to govern their organisation’s cyber risk strategy, a myopic focus on meeting compliance can have an unexpectedly damaging effect.

Currently, the EU’s directive on security of network and information systems (NIS Directive) is front and centre of many financial services organisations’ cyber security agenda. The legislation sets a range of network and information security requirements which apply to operators of essential services and digital service providers. However, while the NIS Directive is a step in the right direction for all critical national infrastructure (CNI) organisations – including those in the finance sector – many companies lack a clear understanding of the requirements and are therefore failing to define tangible cyber security objectives.

The need for financial services organisations to shift the focus of their cyber security strategy is more urgent than ever. Criminals are becoming increasingly sophisticated in finding and targeting weak points across their entire network, leveraging insecurities in cloud configurations for easier access. For example, ransomware is very much on the rise and has rapidly evolved from being a malware issue to a highly nuanced and profitable human endeavour. Harnessing the efficiency of automation and by living off the land, cyber criminals can disrupt and damage almost all the components in the finance ecosystem.

Phishing is another common method used by attackers to exploit the sector’s cyber security vulnerabilities. According to the APWG, financial services organisations are the target of around 41% of all such attacks, leaving them vulnerable to data breaches and severe reputational damage. And scams are no longer limited to email: last year saw Barclays account holders fall victim to a series of orchestrated social engineering attacks through text messaging and SMS (known as ‘smishing’), resulting in millions of pounds being stolen.

 

From compliance to intelligence

To counter the growing cyber crime threat, financial services organisations need to shift their strategic focus away from simply meeting compliance requirements. Instead, they must seek to deliver continuous improvements through intelligence and automation. Rather than just adding more and more controls, the finance sector can implement the right ones to effectively understand and mitigate risk.

As such, organisations should move their cyber security focus from prevention to detection, containment, and response. IBM’s  Cost of a Data Breach Report underlines the importance of being able to effectively detect how and when a cyber breach has taken place and respond accordingly. Companies that find themselves bogged down by compliance and take a short-sighted preventative approach are typically those that take the longest to discover a cyber attack has taken place.

 

The need for a modern approach to security operations

Cyber crime is swiftly displacing conventional crime. As a result, financial services organisations must elevate cyber security strategies from relying on traditional tools to protect systems, processes, and people, to encompass modern techniques such as managed detection and response (MDR).

A well-considered strategy centred around MDR is essential in improving security posture while adhering to legislation and regulations. Therefore, investing in threat-led security operations will empower organisations to combine traditional and modern tools with innovative, proactive tactics and education. Threat intelligence linked to MDR, supported by ethical hacking techniques to test defences, can offer deep insights into the gaps in an organisation’s cyber security strategy. The collaborative process of identifying and closing the gap – which is then validated through retesting – not only removes the risk but also educates teams on a range of cyber security best practice.

The most effective methods of MDR utilise Extended Detection and Response (XDR) technology platforms to cover business applications, regardless of cloud technology or location. However, success depends on having the right skills and people to manage new technologies. With the right MDR partner, the finance sector can move away from a restrictive regulation mindset and confidently navigate this increasingly challenging and complex cyber security landscape, safe in the knowledge that data and systems remain protected.

 

spot_img

Explore more