By Anna Webb, Head of Security Operations at Kocho
The Bank of England’s Cyber Framework has been designed to help UK financial institutions identify areas of vulnerability that can be exploited by a cyber attack. It will also help to increase awareness of how effective cyber security measures really are. In this article, Anna Webb, Head of Security Operations at Kocho, the cyber security, identity and cloud IT expert, discusses how financial organisations can leverage the framework to bolster their cyber defences.
Importance of cyber security for financial services
Cyber security in financial services is incredibly important but also extremely complex. Tech advancements and digitalisation projects rapidly accelerated during the pandemic, increased the attack surface of company operations. The requirement to work from home, and access confidential information from outside corporate networks, increased the risk of attack still further and made it more difficult to adhere to strict compliance requirements. Furthermore, with ransomware attacks on the rise and high-profile vulnerabilities being discovered at an alarming frequency, keeping systems secure is akin to a game of whack-a-mole for understaffed and overworked IT teams. To put the scale of the challenge into perspective, the UK Government’s 2022 Cyber Security Breaches Survey found that 39% of UK businesses identified a cyber attack in the last 12 months.
There isn’t an easy solution to this multifaceted situation, but if financial organisations break down the task into bite-sized pieces, it is certainly possible for them to minimise their exposure to cyber risks.
Balancing cybersecurity and flexible working practices
For many financial organisations the quest to strike a balance between security and flexible working practices has been a top priority. One approach is to introduce security protocols that reflect each employee’s job function, and the applications and systems they need to access in order to fulfil their role.
For example, employees in the accounting or marketing departments may be more likely to continue to work from home in the longer term, so they will need solutions that can strengthen their local network security. This compares to traders, who require more powerful systems and lower latency, and therefore will likely continue to work at the office, well within the local security protocols. Financial advisors are often mobile so may require more robust network security and identity controls. Commercial bankers, who once established relationships over business dinners, now find themselves trying to do the same using videoconferencing tools that must be adequately secured if they are being used to share highly confidential data.
The IT department will need to support all these new ways of working with the right security solutions to ensure the overall success of the organisation.
Investing in compliance as a business enabler
Legislation will always evolve as it tries to keep pace with advances in technology and with the ever-changing modes of attack by cyber criminals. As financial organisations look to innovate and remain competitive, they need to ensure that they are undergoing digital transformation in a way that is sustainable and safe – especially if they’re outsourcing operations to other companies and giving them access to their data.
A recent regulatory development is the Bank of England CBEST security assessment framework, which is designed to help financial organisations improve their cyber resilience, and is also now integrated into supervisory strategies from regulators such as the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). These voluntary assessments focus on revealing and understanding weaknesses and vulnerabilities and set out the remedial action that should be taken to fortify organisations and, by proxy, the wider financial network.
During the assessment, a highly skilled cyber threat intelligence analyst will oversee a series of realistic penetration tests that replicate sophisticated modern cyber attacks without causing any damage to the actual system of the financial institution. As part of the process, the organisation’s cyber defences are benchmarked for maturity against the standard key performance indicators. The continued use of CBEST has been confirmed as a highly effective regulatory assessment tool, which can also be undertaken on a cross-jurisdictional basis, and in cooperation with other regulations and frameworks.
For any financial service organisations that are outsourcing any of their services, it is valuable to be aware of the exponential rise in cyber attacks on supply chains. For the UK government that meant further legislation on security has become inevitable. A framework known as National Cyber Strategy 2022 (NCS) is designed to aid UK organisations in developing IT infrastructure security so that they are prepared for such attacks. A new national cyber strategy is expected to be launched by the end of this year, with proposals likely to become law sometime in 2023.
The role of MSP in bolstering IT defences
Many organisations opt to outsource their IT and cyber security to gain access to greater expertise and resources. Indeed, in the UK, 55% of mid-sized organisations and 60% of large organisations rely on third parties to secure their operations. However, it would be wrong to assume that this option makes an organisation immune to cyber attacks. Organisations should look to take control of their cyber security now by examining their existing IT service supply chain.
When selecting an MSP or reviewing the capabilities of one already in place, organisations should begin by checking its security certifications. A simple and easy step, this shows if they’ve achieved any industry-recognised security certifications. Good ones to look out for are the government-backed Cyber Essentials Plus programme or an ISO 27001 certification.
The next step – especially when initially scouting for an MSP – is to check relevant case studies and references. All MSPs worth their salt should be able to provide their work history and demonstrate experience with cyber security. Check for awards that prove they have been recognised for their expertise – especially keep an eye out for accreditations that are sector specific. For example, the Channel E2E list which compiles the top 100 service providers for the financial sector.
Securing a complex network seems to be an impossible task, but risk can be reduced by focusing on key requirements such as introducing role-based identity controls, keeping systems updated, ensuring a high-quality security posture for the cloud services, keeping track of and addressing vulnerabilities, securing endpoints, and finally educating every employee on every level about cyber security. By addressing these factors, organisations can keep adversaries at bay.
However, in this ever-changing landscape of rising threats and new vulnerabilities, a trusted MSP, with specialist expertise in how to identity and mitigate risks, can help stop incidents from escalating into something that’s financially and reputationally disastrous.