The biggest areas of cyberattack vulnerability in 2022
Cyber criminals are ready to attack financial services businesses in a variety of ways. They could try and steal confidential information from your business, including personal client details which they will blackmail your business into paying to get back. They might also hack into your business network and render areas of your operations unworkable by encrypting data and systems, and demanding a ransom from you to get them working again. Often, they will target your employees, customers, or suppliers, duping them into transferring money into a scam bank account. To put themselves in a position of being able to commit these crimes, scammers first need to breach or dodge your security systems.
As we enter the second half of 2022, as a business that assesses the security provisions of hundreds of firms each year, the vulnerabilities we are finding means we can say with certainty that more firms will suffer from cyberattacks before the year is out. Only those businesses that have taken steps to protect themselves will escape the damage that the cyber criminals can do.
You can help ensure your firm doesn’t fall victim by knowing where you are most vulnerable and taking steps to protect yourself.
The biggest areas of vulnerability for Financial Services firms.
Hijacked email accounts
Many cloud-based email accounts fall victim to scams every day. Often, this is down to insufficient authentication methods that rely just on a username and password combination, or poor spoofing controls. We often run simulated phishing email attacks for clients, and usually over 20% of untrained staff will fall victim. When this happens in a real world situation, usernames and passwords are stolen by criminals, giving them access to your systems. You should ensure your tech support team has SPF, DMARC and DKIM in place. If they look at you in a confused manner when you mention those acronyms, it’s time to worry!
Human error
In our experience, most successful cyberattacks involve human error at some stage. Criminals are using increasingly devious methods to trick employees into sharing sensitive information. Sometimes, all it takes is a click on a link sent to a mobile phone.
Use of weak and easy to decipher passwords gives scammers an easy way in, as does using the same passwords for work and non-work digital activities. A tight rein needs to be kept on how information is transferred. With many companies we assess, we find traces of important data stored in Drop Boxes, G-Drives and on We Transfer. And if we can find it there, so can cyber criminals.
Untrained remote workers
The pandemic has ushered in an era in which remote or hybrid working is commonplace across financial services. Great news for employees looking for more flexibility. Great news too for the cyber criminals, as anyone working outside the security of the office provide them with opportunities for attack. You should take steps now to review your cybersecurity provision as it relates to home workers. You can assess the effectiveness of your policies by watching this video.
Badly maintained technology
2021 saw many of the biggest cyberattacks focusing on this area, specifically relating to the release of critical software patches by suppliers that notified everyone (including criminals) about software flaws. You can read about two of the biggest incidents here and here. But damage can be avoided by ensuring you implement a strong software patching regime at your firm, giving an individual or team responsibility for keeping a close eye on any issues that arise relating to the technology you’re using.
Insecure cloud set-up
Virtually every business is utilising the benefits of the cloud in one way or another. Scammers know this, so it’s important your cloud services are professionally set-up and maintained, to help you retain control and have the best visibility of activity in this area. You can use this video to assess how secure your cloud is.
Your suppliers
2022 is predicted to be a bumper year for supply chain cyberattacks. That’s because third parties that deliver services to your business often form the weakest and most vulnerable points in your defences. Here’s an article from the National Cyber Security Centre that outlines the risks you may face.
Having outlined the areas in which your financial services company is likely to be most vulnerable, below is an action plan you can implement to shore-up your defences for the second half of 2022 and beyond.
Cybersecurity action plan for Financial services firms – 2022
Start by carrying out a thorough cyberattack vulnerability assessment
It’s crucial to know where your biggest risks and weaknesses lie so these can be tackled first. Your weak points are likely to be in one or more of the areas listed above. Make sure you have considered what your firm is doing and can do to strengthen in all those areas. It’s important to assess where your most valuable and sensitive information is stored and review your payment processes with cybersecurity in mind. Look into conducting vulnerability assessments, or network security scanning or penetration testing, all of which will help you see the state of your security. We’ve developed an assessment tool you might want to try first.
Define your cybersecurity policy
You need to put down in writing how your firm intends to combat the risk of cyberattacks. This policy should cover key areas such as:
- Acceptable levels of personal use of work devices
- How employees are expected to behave in the digital sphere
- Access management – with a focus on authentication through use of passwords
- The do’s and don’ts of storing and transferring company information.
- Your approach to software patching
- How you will carry out back-up testing and virus protection
Once you’ve agreed on the rules, communicate them clearly to your employees and ensure you have ways to measure compliance.
Close vulnerable areas
Ensure someone with suitable qualifications advises your business on how to securely configure your hardware and software. When we carry out security assessments, the three key areas we look into are:
Patching – we ask critical questions such as are Windows patches being deployed to PCs, laptops and servers on time? How long can a laptop be safely used with a patch?
Email login failures – who’s being alerted to Office 365 suspicious login attempts? Are controls configured to restrict access?
Anti-virus software – we look to see if up-to-date software is installed on every device, and ask can it be switched off by individual users, it is too ‘loose’ and is someone responsible for responding to critical alerts?
Train employees regularly
Keep your staff up to date with risks by investing in cybersecurity training. This, along with frequent simulated attacks will keep cyberattack issues front of mind across your organisation.
Have emergency response procedures in place
Fast, pre-planned emergency response is vital to reduce the impact and damage of cyberattacks on your business. So, gather key players in your firm together to formulate a response to things such as ransomware attacks. Write down what you agree and share it with people who need to know about it.
Whether you’ve fallen victim to a cyberattack in 2022 or have so far managed to avoid them, the information above should help your firm move forward with confidence for the rest of the year and beyond.