Cyber-incidents are on the rise: What can your firm do to defend itself?
It feels like almost every week a cyber security incident is reported in the news. 2019 saw the occurrence of data breaches reach an all-time high, while the new year opened with headlines about Travelex being held to ransom by hackers.
Cyber security is an issue that every business must take control of; the risks of material loss, reputational damage and regulatory repercussions are simply too great to ignore. And attacks are increasing in scale and sophistication all the time.
We must also realise that there are no overnight solutions. Cyber security remains an ongoing challenge faced by firms across many industries.
Everyone operating in the fintech sector is a high-priority target. As open banking and digital payment services start to hit the mainstream, hackers will see any opportunity to exploit security gaps that might emerge as companies scale up or adapt to unfamiliar technologies and practices.
Simply reacting to an attack that has taken place will always mean acting too late. You need to be proactive in defending against the threats out there. And if your business has been breached before, it will be expected to put in ‘double time’ to ensure the issue never occurs again.
Whether you are starting from scratch or are part of a more established organisation, it is important to consider cyber security from the ground up. Developing a business with a comprehensive and solid security from the start is much easier and cheaper than trying to bolt on additional layers of security to mature systems and processes.
As we enter a new decade, every fintech firm should take the time to review their systems. At the top of the list of priorities is appointing a Board-level representative to be accountable for ensuring the business is protected and prepared for any type of breach. It is also vital that ‘cyber’ is clearly owned at an operational level to ensure policies are implemented across all levels of the business.
To gauge where an organisation is on its cyber journey, senior management should ask themselves five key questions:
- How do we know that, as a business, we are protected from cyber-attacks?
It is imperative for businesses to adopt one of the numerous cyber security frameworks available, which cover the core technical elements of cyber security (such as security of devices and protection against malware). Following a framework ensures that people across the business are made aware of cyber security best practice and the protocols in place.
This is a good starting point, but not enough on its own. To be truly effective, you need the right combination of technology, the correct processes to be followed and the right people to monitor and assess whether processes are working. Having all of these in combination will stand a firm in good stead against attack.
- How do we know that we have the most appropriate security policies and governance in place?
Criminals don’t care which part of a business they find the weakness in, meaning firms must not take a ‘siloed’ approach to security.
The Board must set the tone in creating a culture of compliance and security for the rest of the business to follow. Comprehensive policies, with clear roles and responsibilities, are vital for firms if they want to track and monitor performance against clear criteria. Does your business have a set of written IT security policies and guidelines? Have these been agreed and signed off at a senior level?
- How should we communicate a cyber security breach to the market, regulators, customers, media and staff?
Firms needs to be able to identify a breach and report it quickly if they are to meet regulatory requirements. In the Verizon 2019 report, however, it was noted that over half of all business breaches took months to discover.
As part of any such notification, an assessment of the extent and severity of the breach needs to be included. If a breach is found to have risked personal data and posed a risk to people’s rights and freedoms, companies are at risk of a fine of up to 4% of their annual global turnover (or €20 million, whichever is greater).
Cyber breaches can be costly, but the most damaging impact is likely be to a firm’s reputation. Handling communications following a data breach can be extremely challenging. A clear communication strategy should be mapped out in advance and adjusted to individual circumstances. At a very high level, all communications related to a cyber-attack should be timely, accurate and honest.
- Can we be confident that we have the necessary operational resilience to keep the business running if we suffer a major cyber incident?
The answer to this question will depend entirely on the nature and severity of the incident.
For starters, businesses should build a clear map that prioritises which systems or applications are critical to the running of the business, and then draw out contingencies that could be activated if they were breached.
Firms should consider physical security issues as well – how quickly could your teams remove or change access permissions and what would be the process for doing this?
Having trusted third-party specialists on hand to provide support will also demonstrate to customers and regulators that your firm is prepared for any eventuality.
- What is the nature of the threat landscape and what are we doing to understand it?
Ensuring your firm is regularly assessing the threat landscape is imperative. Partnering with trusted third parties and advisers will help develop businesses intelligence and give you a deeper understanding of ongoing and emerging threats. Only by understanding the nature of potential threats will firms be better prepared for them.
There are a number of different types of attackers – ranging from organised gangs, insiders and even competitors – each of which will have different information and systems they would want to target. Travelex’s breach is a reminder that organisations will continue to suffer as a result of ransomware which is a booming trend – attacks are expected to become more sophisticated and targeted as companies become wise to the security flaws that allow them to occur. Take time to consider what defences are in place for each type of threat and what more could be done to strengthen them.
The fight against cyber crime continues
As firms consider the above questions, it’s important to note that the combined technical complexity, unpredictability and constant evolution of these attacks means that no firm will ever be 100% protected. Cyber strategies will have to be living documents, and the projects around them will be ongoing and evolving alongside the threat landscape.
Start-ups and challenger firms should incorporate and consider cyber security from day one to ensure they remain as resilient as they need to be. Board members should also be held accountable for the good governance of a business, with the understanding that those most proactive will be those most protected.
By Matthew Drage, director of external engagement, Huntswood and Stephen Head, senior partner, cyber security practice, Gadhia Consultants