As a lynchpin of the UK’s economy and a vital part of its infrastructure, the financial sector is (unsurprisingly) a big target for cyberattacks. A recent study by data security company, Clearswift, affirms this in revealing that 70% of finance companies in the UK suffered a cyber incident over a recent 12-month period.
You’d expect then, with such a huge target painted on you, that many finance firms would have the very best cybersecurity strategies in place. Unfortunately, this expectation is woefully off the mark.
UK Cybercrime Focus: Finance Organizations
Last year alone, there was a reported 1000% increase in cyber incidents within the UK financial sector. You may recall that Tesco Bank was fined £16.4 million by the FCA in 2018 as a result of a cyberattack that happened in 2016, leading to £2.26m being stolen from personal current accounts.
In 2017, cybercriminals were able access records of roughly 270,000 Wonga customers across the UK and Poland. Data illicitly accessed of the payday loans company’s customers included bank account details, sort codes, addresses, phone numbers, email addresses and more. Wonga released a statement acknowledging that cyberattacks were 'on the rise' and 'unfortunately becoming increasingly sophisticated'. HSBC, Halifax, and Bank of Scotland have all experienced similar cyber-attacks.
In the wake of a number of blistering cyberattacks across the UK financial landscape, Megan Butler, the Executive Director of Supervision at the Financial Conduct Authority (FCA), stated in November 2018 that:
"It is a major concern that a lot of financial firms still seem to be trying to get the basics right on cyber. We’ve found that a third of firms do not perform regular cyber-assessments. And whilst most know where their data is, they describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time, and only the largest firms have automated their detection systems to spot potential cyber-attacks. Smaller firms are generally relying on old school, manual processes - or no processes at all."
Some very strong and concerning words, but what can financial organizations start doing to better their defence against malicious attackers?
UK Finance Sector: Improving Adoption & Awareness of Cybersecurity
Before going into actionable methods to improve security within the UK finance sector, let’s understand a little more on where and how the problems are arising. The same Clearswift study mentioned above also found that nearly half (43%) of security incidents within the financial sector are caused by employee failure to follow company data protection policies. Other key causes of security incidents include introduction of malware and viruses via 3rd party devices (32%), file and image downloads (25%), and employees sharing data with unintended recipients (24%).
Most organizations are having a difficult time managing privileged insiders and third-party vendors. Almost half use manual processes to control privileged identities, which simply isn't scalable. Our very own 2019 Privileged Access Threat Report highlights the fact that 58% of organizations believe it likely they have suffered a breach due to vendor access, and 64% say employees caused breaches – which only goes to further underscore Clearswift’s findings.
With all of this in mind, how can we ensure that human error is minimized and, should it occur, the potential ramifications are mitigated efficiently?
Achieving Least Privilege to Mitigate Threats
One of the first, most important things UK finance organizations need to understand is that the weakest link in their security often starts with employees. This weakness comes in a variety of forms – from poor password hygiene, to a weak understanding of social engineering techniques (phishing emails and scams). Whether intentional or not, giving your employees administrator rights puts your systems and data on the fast track to being compromised.
The obvious problem that comes with limiting user rights though is that access and a general ability to be productive can become an issue. If not managed correctly, IT helpdesks can be swampled with requests to grant simple access to systems or files. The balance between security and productivity, specifically within a fast-paced, high growth environment like the finance sector, always seems to be a trade-off. And apparently, for many UK finance organizations, a trade-off they aren’t willing to make.
The solution is simpler and more effective than many organizations realize. By creating a least privilege environment, which is essentially removing unnecessary admin rights and giving users just enough access to do their jobs productively, you can sharply reduce the attack surface. The most recent Microsoft Vulnerabilities Report validates this reasoning, as 81% of all Critical Microsoft Vulnerabilities discovered in 2018 would have been mitigated if admin rights had been removed.
Privileged Access Management (PAM) as a solution achieves this through several steps. And while this is by no means an exhaustive list, below are three key features of an effective PAM solution:
- Lock down and control credentials: Find, manage, and monitor privileged accounts/assets, and automate privileged password and session management.
- Remove excessive end-user privileges: Control and monitor privileged activity on Windows, Mac, Unix, Linux, and network devices, remove excessive privileges without impacting productivity, and enforce granular application control.
- Protect internal and vendor remote access: Secure, manage, and audit remote access from third-party vendors and internal employees with privileges, such as the service desk.
By taking such measures towards reducing privileged access and controlling visibility over your environment, organizations of all sectors can significantly reduce their risk of becoming a victim of a breach. 90% of the organizations we’ve interviewed confirmed that with fully integrated PAM tools, they are confident they can identify specific threats from employees with privileged access.
In summary, implementing a holistic Privileged Access Management solution gives finance companies back control over their systems and data, while still empowering employees to fulfil their roles efficiently and securely.