New data obtained by RSM under a freedom of information request has revealed that financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, a huge rise on the 69 incidents reported in 2017. The retail banks were responsible for the highest number of reports (486), almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
In this study from RSM looking at Freedom of Information (FoI) data from 2017-2018, UK financial services firms reported 12x more cyber incidents to the Financial Conduct Authority (FCA) https://t.co/MTc6nyER7i
— CISQ (@it_cisq) July 1, 2019
Experts Comments:
Anna Russell, VP at comforte AG:
Chris Miller, Regional Director UK & Ireland at RSA Security:
Chris Hodson, EMEA CISO at Tanium:
“While there’s evidence to suggest that at least some of this uptick is due to businesses getting better at reporting security incidents to the regulator, there’s a trend of computing devices being targeted by criminals to give them access to entire ecosystems. BlueKeep is a recent example of such a wormable threat, designed to exploit the IT infrastructure of companies without foundational security concepts in place.
“That’s why financial services firms must have visibility over all their IT endpoints – laptops, servers, virtual machines, containers, or cloud infrastructure – and maintain basic security hygiene practices, such as ensuring standard secure configurations on all devices, applying patches in a timely manner and improving the speed at which companies identify and respond to attacks.
“Our recent study found that over a quarter (28%) of UK CIOs and CISOs said that departments and business leaders work in silos, leaving them with a lack of visibility and control over IT operations. And this has directly affected the business, with the majority (83%) having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.
“With the number of attempted cyber-attacks only set to increase as attackers become more and more sophisticated, company-wide visibility and control of digital assets is the only way to truly stop cyber attackers firmly in their tracks and ensure resilience against business disruption across financial services firms.”
Simon Rodway, Pre-sales Solutions Lead UK & Ireland at Entersekt:
“The industry, however, is all too aware of this trend and has been working towards providing suitable solutions for end-users, businesses, and organisations. Unfortunately, organisational inertia is a reality, which often means that implementing solutions like these can take more time than it should. Cost savings and reliance on legacy security measures with known weaknesses, such as SMS OTPs, for example, can also cause problems.
“Nowadays, high-profile cyberattacks often make the headlines. Especially in the financial industry, fraudsters are using increasingly sophisticated attack measures. They not only employ the latest technological innovations, but also make use of extensive organisational networks and structures to maximise impact. This means that prioritising security is becoming more important than ever, for financial institutions especially, and that traditional approaches need to be revisited — not only to keep up with attackers, but with end-users’ concerns and demands, too.”
Nigel Hawthorn, Data Privacy Expert at McAfee:
“Financial institutions must find the right combination of people, process and technology to effectively protect themselves from attacks and human error, detect any threats as soon as they appear and, if targeted, rapidly correct systems. This means redoubling efforts in training and managing user activities to quickly detect any unusual activity which may signal an attack as well as protecting against accidental errors from staff or partners. With the prospect of damaged customer trust and fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher.”
Ed Macnair, CEO at Censornet:
“For example, out of the types of successful cyber attack that the finance industry reported in 2018, phishing and credential compromise accounted for more incidents than malware, ransomware, and DDoS put together. While the latter three dominate the headlines, these figures show that it’s the oldest, and simplest tricks that still cause the most headaches for the finance industry. Human error also accounts for more incidents than the “advanced” attacks combined.
“The lesson: even in one of the highest regulated industries, companies would be in a much better position if they could simply get the basics right. They need to cover the main points of weakness, protect their staff, and ensure they don’t have the means or opportunity to put their organisations at risk. We can only hope that mandatory disclosure will spur these companies into action.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.