By Darren Guccione, CEO and Co-Founder of Keeper Security
The financial services sector is one of the UK’s greatest exports – in 2021, it contributed £173.6 billion to the UK economy, which amounts to 8.3% of total economic output.(1) Such a valuable asset demands a high level of protection. Cyberattacks are one of the most significant threats to the sector, with the potential to trigger a serious financial crisis, compromise digital records and transactions, and undermine trust in the overarching financial system.
Organisations, therefore, have a duty to keep pace with bad actors by understanding how the cybersecurity landscape is transforming and the harmful impacts on businesses if threats are not contained. This byline from Darren Guccione, CEO and Co-Founder of Keeper Security, will explore the current state of cybersecurity in the UK financial services sector and explore how IT leaders in the industry can combat rising threats – from investment in tools and training, to establishing a healthier company culture.
A heavy price to pay
2022 ushered in the most challenging economic climate we’ve seen in decades, yet cybercriminals are not slowing down as businesses tighten their belts ahead of a recession. Our research reveals UK financial services organisations experienced an average of 39 cyberattacks in just the last 12 months – with one in 10 experiencing between 500 and 1,000 attacks. Almost a quarter (22%) experienced financial theft as a result of a cyberattack and, of those that had money stolen, 26% lost between £100,000 and £999,999. In a time of economic downturn, businesses simply cannot afford to place themselves at risk of such a monetary haemorrhage.
To make matters worse, the financial damage can merely be the tip of the iceberg for businesses that fall victim to a cyberattack. Reputational damage and disruption to trading, impacting their ability to do business overseas, can all inflict critical harm to a business in this turbulent economy. Alarmingly, almost a quarter (23%) of surveyed UK financial services organisations reported a loss of business or contract as a result of a successful cyberattack – illustrating the need for everyone in the UK financial services sector to make a concerted effort to strengthen their cyber defences.
Investment across the board
Knowing where to start can be the most difficult part. 99% of UK financial service organisations surveyed as part of our study reported that cybersecurity was important to C-suite. Yet there are signs they might not be prepared for future threats, with just a quarter (23%) of IT leaders in these same organisations feeling their business is ‘very-well prepared’ to defend against cyberattacks.
Often, the simplest approaches are the most effective, such as improved training for employees. Many staff in modern workplaces have not undergone even basic cybersecurity training, leading to a significant skills gap and lack of understanding around the massive cybersecurity risk associated with poor basic hygiene. Cybersecurity training should be a requirement and formal onboarding step for existing employees as well as new starters. We were encouraged to see that 78% of respondents in the financial services sector have invested in bringing on new cybersecurity personnel in the past year and, of the changes implemented over the past year, increasing training (59%) was at the top of the list.
Beyond personnel, there is also a need to invest in the tools that finance companies are deploying as part of their cybersecurity strategy. Nearly half of those surveyed agree that the accelerated digital transformation due to the COVID-19 pandemic has sometimes led to overlooked security practices. However, there are positive signs in terms of a willingness to invest in cybersecurity defence. Of the IT leaders surveyed, we found high numbers of them intending to invest in password management technology (46%), zero-trust architecture (36%) and privileged access management (PAM) tools (28%).
It is important to note that the efficacy of budget increases and technological investments made by UK financial services will be limited if they ignore a crucial gap in their armoury. Many businesses are so preoccupied looking outward for danger, they forget that they also face serious threats from within. Keeper found that 86% of IT leaders in the UK financial services have either experienced a breach from within their organisation or are concerned about the prospect of one- and for good reason- with a worrying lack of knowledge about key security concepts amongst financial services teams.
The aforementioned training will help here, providing that leaders set an example from the top. It is evident that there is work to be done in this area with 58% of financial IT leaders reporting that they’ve been aware of a cyberattack on their organisation, but kept it to themselves. If IT professionals want to protect against cyberattacks, they need to change this culture of secrecy. They must work to cultivate an environment of trust, transparency and accountability, in which every employee feels confident in stepping forward the moment an incident occurs.
Shoring up cybersecurity for the long term
The findings from our census report clearly demonstrate that IT leaders in financial services consider cybersecurity a top priority, though future investment is not being treated with the urgency it deserves. In challenging economic circumstances, the most effective means of addressing cybercrime will be better management. That includes cybersecurity training, database access through unique, non-shareable passwords, reporting cybercrime faster, and having managers with the expertise to oversee cybersecurity efforts holistically.
A need for faster response times to cyberattacks, better reporting of them and more robust software infrastructures are all apparent. This, coupled with demand for stronger internal security hygiene, points to the need for a more long-term and strategic approach to dealing with cybercrime. The time to act is not after a devastating cyberattack occurs. The time to act is now.