Throwing money at cyber security solutions is a false economy

Recent research has found that the financial services industry is the sector most heavily investing in cybersecurity solutions, increasing investment 85% compared to last year. With daily headlines of breaches and the demands of the GDPR this investment might be unsurprising.  The financial services industry is under immense pressure to keep data safe both from the regulator(s) and consumer brand value, often setting examples of good practice when it comes to security and data protection.

Perhaps this foresight and investment is the reason why 96% of FS firms rate their cybersecurity measures as above average, or even market-leading.

With the option to wield large budgets in the fight against cyber crime there is, however, a tendency for financial service IT leaders to be drawn to the latest, shiniest technology solution of the moment. While there are undoubtedly some impressive solutions available, using buzz-word technologies such as AI, cybersecurity is an issue that can only partly be solved by throwing money at solutions. In fact investing in new technologies can sometimes make the issue worse.

What needs real investment, and not necessarily in cash terms is the trinity of People, Process and Technology (PPT). A security vulnerability can appear in any element of the business and a holistic approach that covers all colleagues and operations is vital for a good active defensive strategy.  

People 

‘Vulnerability’ is a word that is now most associated with a software or hardware issue, an issue that exposes systems to fault or attack. People as vulnerabilities are often an afterthought. However, it is the people of an organisation that are most often seen as the weak link by those looking to exploit vulnerabilities. This human element in cyber security strategies cannot be underestimated. Phishing emails, and increasingly social media phishing, are the weapons of choice for many criminals wishing to exploit human fallibility. 91 percent of successful breaches begin with a spear phishing email, with social media phishing attacks up 100% over the last year according to research from multiple sources. 

As well as raising awareness of the ways criminals will try to exploit colleagues to target employers, it is important that they are aware of the potential consequences should an attack succeed. While some organisations may shy aware from what they see as ‘scare tactics’ it is imperative that colleagues are empowered to spot signs of phishing and social engineering.  Simulating a phishing attack against your workforce can be a good way of raising awareness, and all staff should be trained in the right processes if they suspect an attack.  

While there should be a programme of training around specific threats, this should not be considered on an ad-hoc basis. Rather, focus should be given on fostering a cyber security culture, with individuals taking their responsibility to reduce threats seriously. This is a culture which should start from the top. Leaders should make it a priority to dedicate time each month to developing their knowledge in this area, furthermore Cyber & Information Security should be an agenda item at all board meetings. Whether reading the latest industry news, or attending a seminar, it is important for decision makers to understand the latest threats and developments and be seen to be leading by example.  

Process 

Financial service organisations are largely built on robust processes, and it should be no different in relation to their cyber & information security strategies. Cyber attackers will be constantly seeking holes or weaknesses in processes, and without organisations undertaking regular reviews, the attackers will find them.

While focus can sometimes drift towards the latest technology, the more sophisticated hacks, there are somewhat basic IT functions like prioritised patching and updating software that should never be left for another day. The majority of malware utilises legacy exploits that have been patched by software vendors, so ensuring systems are up-to-date will help mitigate this risk.  

At a minimum, all organisations, not just financial institutions, should be keeping up with the monthly ‘Patch Tuesday’ release from Microsoft for example, which delivers the latest essential patches.  

Other standard procedures should be instilled where dealing with high-level payments or sharing sensitive data. Two-factor authentication (2FA) for processes uses a separate communication channel, such as a mobile number or even biometrics, to verify user identity, making it much more difficult for an imposter to trick their way into acquiring data or payments.  

Technology  

I opened this blog with reference to a trinity of cyber security foundations. Now we come to the technology. Companies should at the very least be equipped with solutions to facilitate threat detection and vulnerability scanning and should be performing regular penetration tests on their systems, as recommended by the Information Commissioners Office, (ICO). Then there will be the new technologies which offer nirvana-like protection features, however, I counsel caution on investing in new technologies until the basics have been addressed, leaders should understand where their threats are coming from and focus on these.

What financial service leaders need to keep focus on when considering purchasing new technologies is whether they are trying to buy a solution to fix a problem which really lies in issues with people or process. Technology cannot answer all issues and won’t always work together with the culture and processes already instilled in an organisation.

That is why it is so important to have a holistic approach that encompasses a security-first culture, enables constant review of processes and understands the importance of investment in technologies that evolve to combat emerging vulnerabilities and threats.

With a security strategy that centres on PPT, financial organisations can minimise the risks to the funds and data they hold without investing ever-increasing amounts to chase the latest solution to hit the market.  Think of Cyber & Information Security as an investment in your colleagues, customers and brand.