Cybersecurity is a particularly important topic in the financial services sector. The umbrella of financial services covers a wide variety of organisations, including accountancy, wealth management, insurance, banking, mortgage lending, and the buying and selling of properties. To a cybercriminal, these companies all share two particularly lucrative assets that have the potential for huge financial gain, which is money and sensitive information.
Across all sectors, cyber criminals will launch attacks for the purpose of monetary gain. However, with financial data being at the core of these organisations they make a highly attractive target for those looking to make money. Additionally, the personal information held by those working in the financial services sector also places these companies in the firing line. Organisations such as insurance companies routinely use sensitive data to deliver a boutique and personalised service to their clientele. For a cybercriminal, this data is highly valuable, and can be used to craft sophisticated phishing attempts, ransomware attacks, or can be stolen and sold on the dark web.
How do cybercriminals target these companies?
Phishing emails are one of the most popular attack vectors for cybercrime, regardless of the target. This is where criminals use social engineering techniques to send out emails that look like a legitimate communication. These emails then encourage the recipient to either click on an infected link or download a malicious attachment, which could install malware on the device or harvest the log in credentials of the target. Phishing attacks can take the form of not just emails, but phone calls or texts too, and can be crafted to be highly sophisticated and convincing. The reason why phishing persists as an issue is because it is notoriously difficult to prevent. This technique is not targeting a system or device, rather it is targeting the recipient themselves. Although there are various technical solutions to try and prevent phishing attempts from landing in an individual’s inbox, if one does make it through, the onus is on the individual to be vigilant and identify it. This is a clear demonstration as to why it is important for all members of an organisation to be clued up on cybersecurity.
Ransomware also poses a risk to those working in financial services. This kind of attack involves using encryption to lock the victim out of their systems or devices, holding their companies’ data to ransom in exchange for money. Ransomware attacks create a highly stressful and time sensitive situation for a company and raise several ethical questions. For many companies, the reputational risk outweighs all else, and they may choose to pay the ransom in an attempt to regain access. However, whilst this may bring a short-term solution, statistics of repeat victims prove that there is no guarantee this company will not be targeted again, particularly since they have now been identified as willing to pay. Additionally, there can be no assurance that sensitive data has not been stolen, either to be used for other criminal activity or to be sold on the dark web. For those cannot or do not want to pay, ransomware attacks are also incredibly expensive and time consuming to deal with; they incur unknown financial and reputational costs, and the company’s ability to operate can be totally shut down.
Alongside phishing and ransomware, other attacks such as distributed denial of service attacks (DDos), SQL injections (SQLi), Local File Inclusion (LFI) and Cross-Site Scripting (XSS) also pose a threat. Regardless of the attack mode, the information above demonstrates just how valuable it is for companies in the financial sector to consider their cybersecurity position and put measures in place to minimise any risk.
Where does a vulnerability assessment fit into this?
There are several steps involved in ensuring that your organisation is educated and aware about what good cyber resilience looks like. Firstly, ensuring that everybody understands the common cyber threats they might face means that employees will be more likely to spot and report a phishing attempt. Another way to become more resilient to the possibility of a cyber-attack is to take stock of any online vulnerabilities that hackers can exploit. At the ECRC, in addition to our free resources and tools, we also offer several affordable services to help identify such vulnerabilities, at a cost that is affordable for many SMEs.
Our services are provided by students, who are employed on the Cyber Path talent pipeline. These local students are mentored and monitored by senior ethical hackers, facilitating hands-on training for those who may become the future leaders in the fight against cyber-crime. This not only makes their services more affordable than those provided by commercial companies, but by utilizing their skills you are supporting the next generation of cyber-talent.
This service assesses your website and web services against the top 10 security risks, searching for weaknesses and vulnerabilities. These assessments are supported with back-out and recovery plans to minimise the risk of outages. Service reporting will the outline the weaknesses in plain language, explaining what it means and the risk to your business, as well as guidance on how to fix this.
This involves reviewing your business’s internet connection remotely, in the same way an attacker would. These are not penetration tests with the goal of complete system compromise and control, rather tests focused on identifying weaknesses that could be used by attackers to achieve those ends. Service reporting is then provided in plain language to explain the findings.
This requires access to your internal network to simulate somebody who has gained illegitimate access. It will scan and review your internal networks and systems for elements including poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access sensitive data. Again, service reporting will describe what each weakness means, the risks associated, and guidance on how to fix them.
If you receive a troubling service report and choose to take remedial action, the ECRC partners with several cybersecurity companies who can help you to manage this, however there is no obligation to do so. You could also choose to pursue a Cyber Essentials qualification, which will ensure you that your company is reaching the minimum recommended standards in terms of good cyber security.
What should you do next?
Signing up as a free member of the ECRC allows you to receive the benefits of our ‘Little Steps’ programme. This weekly email series allows you to build your cyber resilience gradually through the form of actionable weekly tasks. These emails are concise and designed to be accessible for a non-technical audience.
After following the ‘Little Steps’ email programme, you will likely be compliant with much of the criteria to become Cyber Essentials certified. When a company is operating under Cyber Essentials, it is 99% protected either fully or partially from today’s common cyber-attacks. If you choose to go through with receiving the official certification, you can opt to do so through one of our Cyber Essentials Partners, who all work within the region.
Finally, if you would like further information on vulnerability assessments or wish to chat about the cyber resilience of yourself or your business, you can book a chat with us here.
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which isn’t ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)
Comments