By Pete Bowers, COO at NormCyber
Great changes are afoot in the financial services sector after new operational resilience rules and guidelines came into force on 31st March 2022. These rules govern the actions businesses must take to prevent, adapt and respond to, recover and learn from various forms of operational disruptions, and require that firms are able to operate within their ‘impact tolerances’ by March 2025.
Crucially, as laid out by the Bank of England (BoE) and the Financial Conduct Authority (FCA), operational resilience now extends beyond simple business continuity and disaster recovery, into the realm of cyber security.
With time ticking over financial services organisations to demonstrate their cyber resilience to their customers, partners and regulators, there are three areas they should focus on to lay the foundations for success.
The three pillars of cyber resilience
Cyber attacks are one of the most severe disruptions for business operations, and can strike unexpectedly with devastating consequences for those ill-prepared to face them. According to data cited in Verdict, the volume of cyber attacks hitting the financial sector globally spiked 200 percent in 2020 alone, and the number of attacks is certain to have grown since then.
Maintaining adequate resilience against these risks comes down to the three pillars of an effective cyber security strategy, and only by having all three in alignment can the whole organisation remain structurally sound.
People as an asset, not a weak spot
When we think about potential weak spots from a cybersecurity position, they often stem from the people within a business itself, and their lack of knowledge about how to avoid pitfalls or report suspected incidents. For example, according to the UK government’s Cyber Security Breaches Survey 2022, out of the 39 percent of businesses which identified an attack in 2022, 83 percent reported that phishing attempts were the most common threat vector.
Phishing attacks notoriously exploit the ‘human factor’ – our brains’ natural instinct to trust the familiar and respond to pressure – so having staff capable of identifying phishing attempts is one of the biggest assets a financial services organisation can have today. The best way to ensure this is to provide them with the right training and test their knowledge in simulated phishing exercises, and do it in a regular pattern so that vigilance remains high at all times. This way, if a staff member is targeted by a phishing email, they will immediately know how to identify it as such and take the necessary steps to neutralise the threat.
As phishing remains a convenient and lucrative endeavour for malicious actors, businesses have no alternative but to arm people with the knowledge and confidence to tackle the challenge.
Processes in place keep attacks at bay
Secondly, processes must be put in place to ensure decision-makers know precisely what to do in the face of threats. However, such processes can be hard to define in isolation. Fortunately, the National Cyber Security Centre (NCSC) offers certifications including Cyber Essentials and Cyber Essentials Plus which focus on the main areas of concern for cyber resilience. This includes managing firewalls, secure configuration, access controls and malware protection. If these processes are implemented successfully, the NCSC estimates that as much as 80 percent of attacks can be prevented.
Furthermore, certifications such as ISO27001 can help cover bases which Cyber Essentials doesn’t. For example, while Cyber Essentials tends to focus on data and programmes held on devices, networks and other parts of a business’s IT infrastructure, ISO27001 certification looks at all the data held by a business, whether it be on paper or in digital form.
Besides prevention, processes must also be in place to deal with the aftermath of a data breach or cyber attack. In these instances, relying on certifications alone won’t ward off operational disruption and a potential GDPR fine. Adequate operational measures must be in place so that the right people can decide on the appropriate course of action – from notifying the ICO to alerting customers and partners – which will always vary case by case.
Plugging in the right tech for the job
Finally, the right tools will play a crucial role in ensuring cyber and operational resilience. Gartner predicts that worldwide information security spending will grow 11.1 percent to a total of $187 billion in 2023, much of which will be spent on technology. All of this investment assumes a business has the abundance of skilled and dedicated staff to operate such technology. However, this isn’t always the case, especially in a climate of shortages of hardware and available workers.
Many businesses simply don’t have the resources to plug into buying new pieces of tech or to take on new members of staff to fill their Security Operation Centres (SOCs). In fact, research shows only 44 percent of businesses have tools to monitor or record instances of breaches. As a result, one in four businesses are turning to external cyber security providers to meet their needs.
Not a case of if but when
Time and time again we’re shown it’s never a case of if but when a cyber attack will strike, so burying one’s head in the sand is simply not an option. Instead, businesses must implement full technical controls along with employee cyber awareness programmes and appropriate operational procedures. By having all three pillars of cyber resilience working in concert, businesses can move forward with the assurance that they are doing all they can to maintain operational resilience day in and day out.