Cyber security booms in the boardroom – it’s time to take it to the top
When major financial sector corporates fall victim to cyberattacks, you can’t assume that you’re not immune.
How safe is your network? Perhaps you think that’s a question for the IT department. But it only takes one look at what’s recently happened to major capital markets players to see that compromised infrastructure can and does lead to devastating effects across the business. If it can happen to them it can happen to you. The stakes are too high not to think about the risk to your business at a strategic level.
In 2014, RBS Group was fined nearly £60m for IT failures that saw customers unable to use systems for hours at a time. JP Morgan sustained an attack in June 2014 that saw information for 76 million households and seven million small businesses compromised, with the attack going unnoticed for two months. In February this year it was reported that 100 banks were hit for $1bn across thirty countries over a period of two years, according to Kapersky Lab.
And they keep on coming: HM Government’s 2015 Information Security Breaches Survey Technical Report documents that a large financial services company in South East England suffered a malicious code attack on their website. With no contingency plans in place it took over one or more weeks to restore secure operations. It also reports a Financial Services firm’s UK operation suffering a website breach that allowed the attacker to take control of some systems, due to a missed patch update. It took the firm a month to recover, with a loss of £500K revenue and at a repair cost of over £250K.
Financial cyber-crime is a real and growing problem. As mobile banking and contactless technologies gain popularity, more sensitive personal data is being transmitted via increasingly different channels, creating an ever-greater potential exposure to cyber criminals. As ways of communicating and doing business more competitively and flexibly evolve at pace, so does the complexity of our technological integration – along with the scope for sophisticated technical criminals to disrupt it.
The industry facts:
Mobile banking transactions account for the movement of £1.7bn per week and are expected to double by 2020 (Fiserv, 2015)
Threat Metrix 2015 reports that the UK is in the top five targeted countries for cyber-attacks, along with Canada, USA, France and Germany
The Financial services, Government and Energy and Communications industries are most at risk, according to Threat Metrix 2015..
Cybersecurity is high on the Financial Conduct Authorities’ agenda: “The potential for increasingly sophisticated fraud attacks means it is important that firms continue to invest in implementing strong security measures for consumers.” They have seen the importance of making it a strategic concern, stating that they expect to mandate accountability for cyber security measures to senior management. July 2014’s FT Bellwether survey found that 69% of company board members now actively assess vulnerability to cyberattack, up from 44% the previous year.
So what can more you do?
The big and small banks alike are being hit, governments are under threat, the FCA knows this is a problem and you are already doing all the things you can think of to mitigate the threat.
Here’s my suggestions:
The Department for Business, Innovation & Skills (BIS) has issued a brief guide for non-executive directors to help them engage with the problem. Take a look at Cyber security: balancing risk and reward with confidence - guidance for non-executive directors (10 December 2014), where BIS sets out questions to ask along with key information and metrics that can be used to shape management decision-making and strategy. (Source – www.gov.uk Department for Business, Innovation & Skills (BIS).
Our work across financial services organisations in the UK reveals the highest risk factors for vulnerability to cyberattacks. If any of these apply to you, you need to consider now how you can address them:
- No security budget set aside
- No board level buy-in or strategy-setting
- Lack of management understanding of the issue
- Other pressing business priorities
- Lack of even a basic cyber security programme
It’s vital to assess where you are right now and identify vulnerabilities, so you can put in place measures to protect your customers’ data and your business infrastructure.
Data Integration offers a FREE Enterprise Risk report to any business who wants to identify the potential risks currently on their network to help lock down vulnerabilities and cyber-attacks. The report will help work in line with a business’s cyber strategy before it’s too late.
My experience from both industry and technology perspectives means we can work with you to tackle the problem effectively in context of your particular operation.
In the complex, highly regulated, hugely competitive financial services world, it’s not surprising that senior execs haven’t always given enough attention to this problem. But that needs to change to avert potentially major losses in revenue, profitability and reputation.
To find out more about the free risk report, get in touch.
Author - Richard Pitt, Managing Director of Data Integration