We respond to countless reports of cyber incidents each year, and most involve a significant lapse in judgment by end-users, system administrators, or people from both groups.
Remote work introduces new vulnerabilities
UK finance firms are relying more heavily than ever on employees working remotely. Any type of remote work requires more heavily mediated connections to a firm’s central business systems, which are inherently more vulnerable to attack. The use of cloud-based storage solutions in place of local storage networks has added yet another layer of vulnerability.
We regularly find significant vulnerabilities across business systems associated with remote working. The most severe problems often lie in the home offices of remote employees. These problems are often behavioural. It may be natural to take a different, less vigilant approach to one’s computer use while at home, but when employees blur the line between professional and personal use of their devices, they expose their firms to phishing attacks and other forms of cybercrime. To a lesser extent, they are also technological. A poorly configured connection to the office intranet may be easily compromised by cyber criminals who know how to identify and exploit such connections.
A sophisticated threat demands a multi-layered response
No single factor can eliminate a system’s exposure to the effects of human error. A multifaceted approach, though, can create a highly effective defence against cybercrime while avoiding undue burdens on any single aspect of a firm’s operations.
Policy
The cornerstone of any firm’s cybersecurity plan is a simple definition of how employees may use its technology infrastructure. This is often easier said than done: a firm’s policies and processes must allow employees the freedom to complete their work while curtailing behaviours that place the firm at risk. Many firms, for example, allow staff to access their personal Google accounts from company devices—not explicitly, but because their policies do not address such use. The same applies to accessing company accounts and assets from personal devices. Each of these scenarios represents a serious vulnerability, and each can be addressed with clearly stated, adequately detailed, and roundly understood policies regarding the use of company equipment and data.
Training
We consistently find that employees who expose themselves to cybersecurity risks are unaware that they have done so. This is not a failure of common sense—it is a failure of training. It only takes one well-meaning but uninformed employee to grant a cybercriminal access to critical data, and our studies have shown that more than 20% of undertrained employees will fall for a simulated cyberattack. That figure becomes vanishingly small after employees are properly trained. Policy defines what firms expect from their employees, but only regular training can equip them to follow through.
Technical Controls
A firm’s cybersecurity policies should be reflected both in their employees’ training and in the configuration of their technology infrastructure. Most financial services firms keep their centralised technology resources up to date and adequately protected. That, we have found, is the easy part. Any element of a firm’s network can expose it to attack, including the computers and web browsers used by remote staff. Since operating systems and productivity software are designed for the widest possible audiences, they require significant customisation by cybersecurity specialists before they are truly safe for business use.
Governance
Sound policies, ample training, and thorough attention to technical controls are all essential. So is their constant upkeep. We regularly help firms whose security measures were brilliantly conceived and implemented at first, but that became less effective over time. This is the stuff of governance: the overarching set of policies that confirms the efficacy of current security measures, checks regularly to see that they are still sufficient, and refreshes them when necessary.
Financial services firms have always dealt in risk management, and cybersecurity is in many ways simply another form of that effort. The same people who drive a firm’s fortunes can be responsible for critical lapses in security. The measures listed above can engage everyone at your firm—whatever they do, and wherever they work – in a concerted effort to keep risks low and productivity high. When employees understand that they are on the front lines – that their contributions to the firm’s security help ensure that their work continues to have real meaning – we find that they are typically eager to meet the challenge.