If cybercriminals can hack the corporate email accounts of Microsoft’s senior leadership team, what could they do to your cybersecurity defences?
Cybersecurity was once again the top concern for European banking Chief Risk Officers surveyed by EY and the Institute of International Finance, with 82% ranking cybersecurity risk as the biggest threat to their business over the next 12 months.
Financial market participants in the UK similarly deem cyberattacks the number one source of risk to the UK’s financial system, according to the Bank of England’s most recent Systemic Risk Survey. The proportion of respondents citing cyber risk is at the highest level ever recorded in the survey. Cyberattacks are also considered the most challenging to manage.
No escape from the cyber threat
Cybercrime has become a fact of life for every financial organisation. Arnaud Wiehe, who wrote The Book on Cybersecurity and has just released his new book Emerging Tech, Emerging Threats: A Cybersecurity Guide for Innovative Leaders, noted that it is not a question of if a firm will be attacked but when and how it deals with the situation.
Cybersecurity is a moving target. Hackers and other cybercriminals are determined, organised and sophisticated. And the threats shift and mutate, fast.
There is no perfect cybersecurity solution. But by following a three-legged stool of cybersecurity best practices, firms can minimise the risks.
1. Hardware
Legacy technologies are rife across the financial services sector, and those technologies have not aged well from a security perspective, observed Wiehe. Vulnerabilities are endemic, and cybersecurity teams must expend considerable time and resources trying to protect these aging technologies.
Moving to an IT infrastructure architected on modern, more robust technologies will limit the security vulnerabilities. For firms that don’t want the responsibility of managing that infrastructure in-house, employing a cloud-based or Software as a Service (SaaS) model that leverages the vendor’s security protections is another option.
Even the most modern architectures have vulnerabilities though, so performing ongoing threat detection and penetration tests is vital.
2. Software
Decommissioning unsupported software, or systems that are about to be sunsetted is a priority.
The UK’s National Cyber Security Centre (NCSC) advises conducting an audit of the data and systems you manage. Understanding when systems will no longer be supported helps you better plan for upgrades and replacements, and avoid running vulnerable legacy applications. Ensure data is removed and corresponding accounts or credentials are disabled when decommissioning systems.
Managing third-party risk in the software supply chain is increasingly important, noted Wiehe. “Most software development now takes advantage of open source and other software libraries, so you need to manage the risks around that by carrying out a thorough vetting process to pick libraries of repute, then monitor them to ensure bugs and potential security threats are addressed.”
All software has vulnerabilities – some that are known, and some that aren’t. Dormant libraries that people have stopped maintaining pose a particular risk. But even with those that are being maintained, it’s essential to keep on top of any updates.
“Firms face a threefold challenge,” said Wiehe. “First is asset management, to keep track of what you are using. Second is vulnerability management, requiring constant scanning for vulnerabilities. And third is update management, to ensure any updates and security patches are applied as they’re released.”
APIs are another point of vulnerability. While APIs are essential to a modern IT environment by enabling easy third-party system connectivity and data transfers, essentially they are a piece of code, noted Wiehe. “So you have to manage the full software development lifecycle. That requires secure coding practices and a way to test for vulnerabilities. Within the APIs themselves are issues of who has admin access to an API and if there is two-factor authentication for sessions or requests. And if an API has a failure of some sort, how do you detect and fix it?”
3. People
“People should be at the heart of any cyber security strategy,” stated the NCSC.
Humans are both a strength and source of vulnerability. According to Verizon’s 2023 Data Breach Investigations Report, three-quarters of all breaches include a human element, whether via an error, privilege misuse, use of stolen credentials or social engineering scam. The three primary ways attackers access targeted organisations are through stolen credentials, phishing and exploitation of vulnerabilities, it said.
“Employees can accidentally expose data in many ways, such as incorrect sharing settings, falling for a phishing scam or connecting to unsecured Wi-Fi,” warned cybersecurity training company Infosec. The rise of remote work, where employees lack the office protections they may previously have had, could exacerbate breach risks.
At the same time, people can be one of the most effective resources in preventing or detecting incidents, said the NCSC, provided staff have the requisite skills and awareness training to recognise and guard against cyber threats.
“Using strong passwords, updating your software, thinking before you click on suspicious links, and turning on multi-factor authentication are the basics of what we call “cyber hygiene” and will drastically improve your online safety,” noted the US federal Cybersecurity & Infrastructure Security Agency.
Getting all the technical, process, governance, and regulatory components that go into a robust cybersecurity framework right is challenging, especially for smaller companies that feel they cannot justify the cost of employing dedicated cybersecurity professionals to coordinate that, acknowledged Wiehe. This makes taking steps to get the basics right, if nothing else, all the more important.
About Arnaud Wiehe
Arnaud Wiehe is an author, speaker, consultant, and thought leader in cybersecurity. He has worked in leadership and cybersecurity roles for major global companies, including as a CISO for multiple years. He holds several prestigious cybersecurity certifications, including:
•Certified Information Systems Security Professional (CISSP)
•Certified Cloud Security Professional (CCSP)
•Certified Information Security Manager (CISM)
•Certified Information Systems Auditor (CISA)
•Certified Fraud Examiner (CFE)
Throughout his career, Arnaud has demonstrated a strong focus on cybersecurity best practices and keeping current with emerging trends, technologies, and innovation. He is a graduate of the Singularity University and a member of the Association of Professional Futurists. He is widely respected by his peers as an expert in cybersecurity and IT governance.
Arnaud is also an enthusiastic amateur musician and luthier. He plays the violin, viola, cello, and mandolin. He has made two violins, a viola, and numerous bows.