Advice firm resilience against cybercrime – a concern for the FCA

ATEB’s Steve Bailey addresses a growing concern for the regulator and financial advice firms – cybercrime – and recommends a three-pronged approach to resilience against cybercrime.

With email being the largest single attack vector on the planet, keeping your organisation secure and productive is of utmost importance. So, what does that mean? It is three things:

1. Cyber Strategy: Includes implementing technology and best practices to secure your infrastructure and prevent hackers from gaining access.
2. Cyber security: The state or process of protecting and recovering networks, devices, and programs from any type of cyberattack.
3. Cyber resilience: Is your firm’s ability to withstand, respond to, and recover from a cyber-attack or data breach. For obvious reasons, the cyber resilience of regulated firms of all sizes is a concern for the FCA.

Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings the areas of information security, business continuity and resilience together. Resilience is more than just preventing or responding to an attack—it also takes into account the ability to operate during, and to adapt and recover, from such an event.

So why is this important? Email attacks are on the rise, with the danger areas including:

• Internal email threats and data leaks from infected email attachments
• Ransomware;
• Phishing (the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers);
• Spoofing of business partners or vendors;
• Impersonation attack.

Protection basics

There are some basics that firms should adopt:

• Secure your Internet connection using a firewall;
• Secure your devices and software using the most secure settings and passwords;
• Control access to your data and services – staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Permissions should only be given to those who need them;
• Use encryption;
• Protect from viruses and other malware (malicious software) – anti-malware is often included for free within popular operating systems. These should be used on all computers and laptops.
  – Whitelisting can also be used to prevent users installing and running applications that may contain malware – the process involves an administrator creating a list of applications that are allowed to be installed. Any application not on the list will be blocked from being installed.
  – Sandboxing – a sandboxed application is run in an isolated environment with very restricted access to the rest of the device and networks, ensuring files and other applications are kept beyond the reach of malware.
• Keep your devices and software up to date – manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Applying these updates (as process known as patching) is one of the most important things you can do to improve security – set to ‘automatically update’ wherever this is an option;
• Manage your third-party suppliers – ensure that cyber security and legal language are added to any contract with the right to audit – remember you cannot transfer the responsibility so robust due diligence is essential;
• Use good detection systems and establish an effective monitoring regime.

Our view and suggested action

Firms should ensure they have good governance in place. Governance enables an organisation to control, direct and communicate their cyber-security risk management activities. Firms should:

• Put cyber risk on the executive agenda and ensure that good qualify MI is in place;
• Understand who could target your firm, why and how;
• Ensure the firm has an adaptable cyber resilience strategy in place – attackers adapt constantly in their techniques and your plan needs to do the same in terms of techniques, technologies and people;
• A continuity plan is in place that allows you to keep running without a hitch (other than that fire in the background your teams are diligently working to extinguish);
• Invest in training – this should be engaging and delivered persistently over time, concentrating heavily on helping employees to recognise and avoid email-borne attacks.

We recommend that firms consider what cyber resilience measures they already have in place, whether they adequate and how they might be improved.

Firms should be ready to respond and recover in the event of an incident. We would therefore suggest that firms create scenario-led exercises, to test the effectiveness of cyber defences.

Further guidance can be obtained via the National Cyber Security Centre (NCSC).