The Cyber Menace And How Wealth Managers Should Face It
22 May 2017
In the UK alone, businesses were hit 230,000 times each by cyber-attacks in 2016. Jaco Cebula, Chief Technology Officer, Multrees Investor Services, gives his insight into how firms must organise themselves to ensure they minimise this risk:
“Cybersecurity threats have undoubtedly become more intense over the years and will naturally drive more and more of the attention and the budgets of businesses globally to focus on mitigating the issue. The most recent case of the WannaCrypt cyber-attack which affected over 150 countries is the best real-time example of the rapidity and the scale of the impact this can have.
“The cyber challenge will remain complex and evolve rapidly, placing companies, particularly those dealing with vast volumes of financial data, under immense pressure. They must keep customer data safe and drive the need for constant innovation to maintain robust security frameworks and help minimise the risk of security breaches.
“Worldwide annual expenditure on cybersecurity software, hardware and services is expected to reach $101.6 billion by 2020 compared with spending of $73.7 billion in 2016, according to research from the International Data Corporation (IDC).
“While constant innovation is crucial in tackling the issue, the approach should also be a holistic one, involving people and an improved process of intelligence gathering, and sharing of that intelligence via more effective communication channels.
“The need to rapidly generate new products to survive in a highly competitive market makes delivering robust security controls extremely challenging. However, as the level of threats grow, it is crucial that banks become more open when it comes to their cyber strategy and work together as an ecosystem to combat the issue.”
“The more traditional ‘technical’ approach to cyber security, while necessary, is not sufficient in itself to ensure that firms can minimise the impact of any attack. The majority of regulated firms will have controls in place to ensure that their IT security team is taking the necessary measures, such as keeping virus definitions up to date, patching servers, locking down firewalls, setting minimum required permissions, providing intrusion detection systems, and testing perimeter defences etc.”
“However, while the WannaCrypt ransomware attack has shown spectacularly that there are no grounds for complacency in these areas, it important to realise that many of the most effective measures lie beyond the realm of IT Security, and relate more to a less predictable area of vulnerability – an organisation’s people.”
“As a result, it seems pertinent to examine a number of key non-technical measures that demonstrate a number of ways that Multrees has tried to take cyber-security ‘out of the IT Security department’:
· Online training – this should be a mandatory part of the staff induction, and the CISI online training catalogue which includes an introduction to Cyber Security, is a good example.
· ‘Lunch and Learn’ approach – this covered the main ‘social engineering’ categories of Cyber Threats, and included real life examples, as well as reviews of actual attacks on Multrees and lessons learned.
· Understanding of different data domains – it is vital that individuals understand where and how corporate data is stored e.g. local devices, corporate network, cloud etc., as well as the risks inherent in each.
· Downstream supplier impacts – it is no longer sufficient to understand the impact of direct threats to your own organisation. Effective supplier management of application providers (both on-premise and cloud based), infrastructure/network partners and B2B counterparties should include due diligence on security measures, as well as reporting and transparency around any attacks via service reviews.
· IT ‘coding for security’ – a myriad of online courses and certifications are available to ensure that all software developers have an awareness of how to build security into their software ‘from the ground up’.
· Simulations – this does not have to be time consuming or costly, but it is vital that staff are aware of the procedures in the event of a ‘real world’ attack. A simple spear phishing simulation which requires a little creativity and the creation of a dummy website, could provide an opportunity to analyse the responses, to target training and resources more effectively. Ransomware is also very easy to simulate and track with only a small amount of scripting.
· Be aware of ‘patterns’ in attacks e.g. DDoS is often a cover for a more forensic data theft. It is important not to lose sight of the perimeter while dealing with the initial incident.
A key to getting buy-in to this activity is to understand that one will, inevitably, be the victim of some form of cyber-attack.
In 2016, Multrees itself was hit by a Ransomware attack that was not identified by the mail scanner. The effect of this breach, however, was minimised swiftly via appropriate user permissions, allied to effective segregation of the network, meaning that core databases and application files were simply not accessible. However, it is important to note that these technical protections would not have been necessary, had the offending email been treated with appropriate levels of suspicion and tighter scrutiny at the point of entry by the recipient.
Being hit by a real-life attack, even one with minimal impact, can provide a timely wake-up call to ensure that cyber awareness is embedded in the organisation’s culture.