By Caleb Mills, Chief Technical Officer at Doherty Associates.
An exploited cyber risk or vulnerability has the potential to end some firms, with the damage inflicted by cyber risk not just commercial, but reputational. Any cyber security risk can affect your company’s bottom line, thus harming your ability to innovate and gain momentum with your customers.
The recent cyber attack on JBS, the world’s largest meat processing company, caused the temporary closure of some operations in Australia, Canada and the US, with thousands of workers affected, and is likely to cause meat shortages and price rises for consumers.
Cyber criminals are more money motivated than ever, and whilst everyone remains a target, criminals are getting progressively more surgical in their strikes – with finance and private equity firms being a prime target.
A recent study by Doherty Associates identified that half of UK private equity, investment and asset management firms have not yet carried out a cyber risk assessment since working remotely. But, the move to hybrid working has removed an important control that most firms had in place, a firewall around its people and devices whilst in the office.
With employees working more disparately and the shift to hybrid here to stay, it increases the ‘attack surface area’ leaving more places exposed for an attacker to manipulate weaknesses.
Biggest concerns for finance firms
JBS paid its $11million ransom to hackers to resolve its unprecedented cyber attack, so it’s no surprise that organisations with greater financial transactions are the most targeted by hackers compared to other sectors.
From the findings of our latest report, a quarter of employees said they had been the victim of a data breach or caused one themselves since working remotely, with one in seven experiencing a phishing attack or similar.
Around a third of employees said they had had no cyber awareness training since the first national lockdown, and over two thirds admit to ignoring virus security scan requests or computer update alerts which play an important role in safeguarding their company’s systems and sensitive data.
While operating a remote workforce in the cloud has many benefits, it is critical to ensure that teams continue to operate safely, securely and are fully compliant with FCA regulations wherever they are working from.
Accounts should have multi-factor authentication so employees can keep their identity secure while working from home, and firms should build in comprehensive cyber awareness training for every employee – particularly when roles are hybrid or remote.
How to assess your cyber risk
Firms should carry out a cyber risk assessment at least every six months, including penetration testing, to detect any critical vulnerabilities or compliance issues.
Firstly, you should define your ‘crown jewels’. This may be your payroll information, portfolio analysis data, IP, client records or personal information – but you need to identify the key things that are most important to your firm.
To assess all risks and put adequate controls in place, you need to imagine the worst case possible that could happen to your business if a hacker were to exploit a vulnerability. If you don’t have a CISO, you can work with a security partner who will be able to provide insight into the threats that are out there – and how you can put the steps in place to protect your assets.
The shift to hybrid working and the new vulnerabilities that are exposed need special expert scrutiny, particularly since a lot of hybrid working capabilities were introduced rapidly to enable remote working due to COVID-19.
Assign each risk a monetary value, taking into account the potential reputational damage, compliance fallout, disruption to work, loss of data, business downtime and recovery costs.
Identify, Protect, Detect, Respond and Recover
Once you have exhausted a thorough list of the potential cyber risks of your company, it is time to decide how best to resolve them by creating a risk treatment plan.
The National Institute of Standards and Technology provides a framework to support organisations in understanding how they can prioritise cyber security activities and make informed decisions to safeguard themselves in the event a risk is exploited.
- Identify– Develop an understanding to manage risk to systems, people, assets, data and capabilities
- Protect– Implement appropriate safeguards to ensure delivery of critical services
- Detect– Develop and implement appropriate activities to identify the occurrence of a cyber security event
- Respond – Identify the actions needed in response to a cyber security event
- Recover– Maintain plans for resilience and restore any capabilities or services that were impaired due to a cyber security incident
As it is not possible to eliminate all cyber risks, you may decide to tolerate some risks for now – but it is important that you decide how comfortable you are with each potential risk to rule out ones that require further action.
To enable the benefits of hybrid working, employees need virtual access to all documents and files needed to do their job. Because of this, implementing some security controls will make it harder for employees to work remotely, and could hinder productivity levels. This is where it is important to reduce exposure by providing extra layers of protection by holding cyber awareness training for employees, obtaining cyber insurance, ensuring there are adequate early detection and responses, and only using security partners you can trust.
There is a balance to strike when setting your risk appetite, particularly for firms that are considered higher-risk targets. By regularly conducting cyber risk assessments and empowering your employees with the knowledge to identify threats from afar, you will be well on your way to creating a more secure organisation that is ready to leverage the hybrid workplace.