In 2017, the Financial Conduct Authority brought together 175 firms from across the financial sector to share information, ideas and insights into their cybersecurity experiences.
A year-long consultation on governance, identification, protection, detection, awareness, response, recovery and testing has created the FCA cybersecurity briefing. It pulls together these industry leaders’ best practices for reducing risk and increasing resilience in the face of cyber attacks.
The consulting groups represented fund managers, investment managers, insurers, retail banks, and retail investment. Their findings are a concern across the sector – especially for smaller finance firms, who generally know they have less cyber capability and resilience than they’d like.
So. What do you need to know, and what do you need to do?
1. Cybersecurity comes from the top
All change in a business comes from the people who lead it. Financial services firms are used to enterprise risk management, and the same approach works for discovering, articulating and sharing cybersecurity risks. Start with the people, and start at the top.
Executive level workshops based on case studies and incidents reported in the media can highlight potential risks and help executives link these risks to their business. The goal is not a climate of fear based on “what happened to X”, but a watchful and nuanced awareness of what kinds of cyber threats are out there, and how significant they are to your business.
To build this awareness, you need to ask your cybersecurity contacts for a simple dashboard that illustrates what’s going on in your business – what’s important, what’s good, what needs improvement, and what’s risky. Plain language, related to the risks you already understand, can cut through the tech-talk.
If you can, appoint a champion: an influential member of staff who’s interested in cyber and can translate between cyber and the business at large. This person provides technology and security functions with an understanding of the business, and can relate technology and security concerns to the rest of the business leaders in terms they – and you – understand.
2. Staff need training in cybersecurity
The vast majority of data breaches aren’t caused by a failure in cybersecurity tools; they’re caused by human error. Your investment in cybersecurity tech needs to be backed up with cyberawareness training – belt and braces.
Everyone in your business needs to know how to use their cybersecurity tools – and they need to know about how cyberattackers trick them on a personal level.
The FCA recommends targeted training. Cybercriminals go after weak links in the cybersecurity chain – time-poor professionals with access to critical systems, who will do what they’re asked to because they want to get the job done. These people need training that aligns with their roles, responsibilities, duties and access to data.
The key is to make cybersecurity easy, integrating it with the operations your staff carry out day-to-day. Make reporting easy – one click to report a suspicious email – and adopt password testing, letting people know when their password isn’t up to scratch.
3. You need to know your business’ vulnerabilities
If you want an initiative your whole business can get behind, though, look at the types of cyber attack to which your business is most vulnerable. Know what kind of attacks are out there, how they work, and how cybercriminals take advantage of systemic and personal points of weakness in a target firm.
Beyond this, consider your digital footprint. Cloud technologies and mobile devices are extending the traditional shape and structure of a business – and every file on the cloud or device on the network is a potential weakness.
Third parties are a similar point of concern. You can’t assume your partner firms are doing the diligence themselves. Build your cybersecurity expectations into your contracts, and make sure you have the right to audit. Review existing contracts and relationships to ensure they’re secure, and don’t be afraid to ask for more – your partners should be as concerned as you are.
Not all vulnerabilities can be fixed – some financial sector firms are working with decades-old legacy systems that simply can’t be upgraded or modified. In these cases, you need alternative controls – targeted training to make the people who use those systems aware of and watchful for their specific vulnerabilities.
At this stage, it’s important not to be overwhelmed. You may discover your business is a lot more vulnerable than you realised, with dozens of critical assets compromised. This is where you need to prioritise. You know what’s integral to your business, so protect that first.
4. Cybersecurity isn’t a single fix job – it’s an ongoing activity
Cyber is constantly changing, as technologies emerge and new vulnerabilities are discovered. Unfortunately, one round of training and one new security suite can’t protect your business forever, and the foreseeable future is generally a year at most. To futureproof your business demands activity in the present.
Participate in forums – share information and intelligence with the rest of your sector. Pooling data and insights means you and your peers can help each other stay safe. Use that data, and plausible, relevant scenarios from the media, to improve your awareness and communication of cybersecurity issues.
The best way to stay on top of cybersecurity is to learn from others. Look at what’s happening in the world, the events that have affected other businesses, and carry out impact analysis on your own firm. What would happen if this happened here? Would you have been protected?
5. Good detection systems are a must
Prevention is better than cure. If you can detect an attempted attack on your systems and services before it happens, you’re safe. This means you need awareness and plans for threats that come from both inside and outside your business.
Inside the business, you need to know who’s who – make sure people are using their own accounts, and have access to what they need. Identify accounts with access to critical systems and data – monitor those more closely, and put a data loss prevention tool in place.
Above all, monitor behaviour. What are user accounts doing? Who’s actually at the desk when that account is logged in? If you know what’s usual, the unusual is easier to spot.
A rigorous monitoring routine creates alerts when anything unusual happens; it’s tamper-proof, because the log files it creates aren’t easy to access; and it’s validated by alerts and regular checks of those log files to make sure they’re there when you need them.
Cybersecurity tools can’t do everything to protect your business: you need to think about people. Proper training ensures people secure their accounts, respond to their alerts, and think twice about everything they see and do on the business’ systems.
Inform yourself about the most clear and present threats to your business, and lead the charge on cyberawareness from the top. Keep yourself informed by sharing insights, ideas and experiences with your peers – learning from incidents is the best way to build cyber resilience.