With cybercrime now an organized criminal business, Simon Eyre, head of Europe, Drawbridge, looks at how financial services companies can better keep their clients’ data and money safe.
The familiar adage that “every organization is a target” when it comes to cyber-attacks, solidifies its place as an undeniable truth for companies in all industries each year. In spring we saw what could be one of the biggest cyberattacks of 2021. When thousands of companies were compromised due to the exploitation of flaws in the Microsoft Exchange Server email software, organisations across the globe were once again faced with the reality that the modern cybercriminal will use any opportunity to gain leverage in the cyberspace and get a monetary advantage.
Today’s criminal is capable, skilled, and always following the money. This is what makes the financial industry a tempting target, with alternative investment firms increasingly being targeted by criminals. Very recently, Sequoia Capital, one of the largest venture capital firms in the world, was successfully phished with sensitive data being exposed to criminal eyes.
So, what can companies do to prepare their organisations for an impending cyberattack?
No one-size-fits-all
It is tempting to bolt-on the latest technology on the market, and trust that the product will do ‘what it says on the box’. When constructing a robust cybersecurity program, to avoid investing in cybersecurity plans that are seemingly ‘one size fits all’, focus should first be on evaluating the cybersecurity landscape and understanding the most common threats and potential attack vectors.
The firm’s leadership and cybersecurity team should identify what factors would make their business a target and why they would be at risk, as well as consider the types of cyber-attacks their peers have experienced. Ask questions such as: “What kind of breaches and attacks are happening in the industry to firms of our size and strategy?”, “How are other firms mitigating these risks and how can our fund do the same?” and “Where are the cracks in the technical armour?”
During this process, they should consider what data is most important to their business. What are the crown jewels? Consider where this data is stored, who has access to it, how it is transmitted and whether vendors process it. Never underestimate what might be of value to a cybercriminal. The most important data can include corporate data, communication records, or personal data of staff and investors.
Prioritise protecting data and protecting against the most likely attacks that would disrupt the business.
Plenty of phish in the sea
Phishing remains a weapon of choice for the modern cybercriminal. In 2020, we saw a number of attacks occur via social engineering, voice/email phishing and impersonation. One notable example is the unfortunate set of events that set in motion the eventual closure of Levitas, an Australian hedge fund. After sending a fake Zoom invite and it being accepted, hackers planted malware and gained control over an executive’s email, leading to the approval of $8.7M in fraudulent invoices. Shortly after, the firm’s largest investor pulled their planned investment, resulting in the fund being scheduled to wind down.
What can we learn from this? Any employee could fall victim to a phishing attack, as these emails, calls and invites are carefully crafted and virtually indistinguishable from the real deal.
An important mitigation strategy is to invest in high quality staff awareness training that goes beyond ticking boxes on a generic on-demand course and tests. Training programme should be relevant to the business, the work environment, and its risks, as well as the systems in use. Standard template training is insufficient in preparing staff for the delicately created and convincing attacks of cybercriminals.
A balanced blend of staff training and technology
Most cybersecurity experts would agree that defense in depth is critical. This means that the hedge fund’s technology and staff should work in harmony to achieve the highest degree of protection for the firm.
Many cyberattacks, especially phishing, have time on their side. Once an employee has been convinced to click on a link, criminals will lurk in the background and look for vulnerabilities within the business. To address this issue, in addition to employee training, companies should invest in a vulnerability management solution that helps discover weaknesses within the system. Companies should continually perform vulnerability management with recurring penetration testing of their environment to ensure the safety of their data and uninterrupted service.
The importance of vendor management
Most firms today work with a network of independent partners or vendors that support the running of their operations. This often complex spider’s web increases the likelihood of a successful cyberattack with each new silk thread. Why? Criminals will not always go for the bullseye, but rather compromise a target that might have weaker defenses and use their network as a steppingstone to another firm’s valuable data. This is one of the reasons why regulators and investors are hyper focused on vendor due diligence. To minimise risk, companies should hold vendors to the same cybersecurity standards as the business itself. Remember, your firm’s network is only as secure as the weakest vendor with access to your data. Extensive due diligence of third parties should not be optional – it is required.
Criminals continue to be attracted to valuable data, and financial services companies can expect to be increasingly targeted due to the nature of their business and the transactions they process. To avoid financial and reputational damage due to a cyber-attack, as well as ensure regulatory compliance while navigating a complex regulatory environment, companies must invest in and develop a robust cybersecurity program that is tailored to their operations.
By focusing on the most important data, most likely attacks and equally investing in people and technology, companies can help can protect their business, while building a reputation as a reliable partner in the industry.
