Why financial institutions cannot rely on silver bullet solutions to combat cyber attacks
Financial institutions across Australia are finally waking up to the reality that cyber security threats and attacks are constantly evolving, and the bad actors behind them are relentless. Not only this, but they are becoming more and more sophisticated and advanced in terms of what they will use to launch a cyber attack.
Despite this, the Australian Prudential Regulation Authority (APRA) recently found there are still significant gaps in the industry’s approaches to this challenge. One of the most common gaps raised is incomplete identification and classification of critical and sensitive information assets.
Whilst financial institutions have increased awareness of attacks and the severity of the impacts to themselves and their customer base, APRA found banks, insurers and superannuation firms were not doing enough.
Recent research also highlighted heightened awareness among consumers about data security and the strong influence this has on whether they trust and engage with a business. With potential significant impacts to their customer base, financial institutions cannot afford to get this wrong.
Being aware of data risks and threats is simply not enough. Neither is siloed, one-off, or short-term solutions that will not prevent risks. It is nothing more than a momentary diversion. While it would be nice, there is no single silver bullet that can fend off all types of attacks.
Adopting appropriate countermeasures
As more companies make headlines for various cyber breaches, it is clear that being aware that attacks may happen is insufficient in preventing anything.. Australian executives and Boards are still not taking cyber security seriously enough.
For SMBs alone, 60% go out of business within six months of falling victim to a breach, though most SMBs would not be addressing cyber security today through this lens, it’s still a view they cannot afford to ignore.
For financial services enterprises, the risk of their share price tanking or their customers leaving in droves is obvious, and yet many still look for a quick and easy way out. Some, for example, are adopting backup solutions, assuming this will prevent breaches.
A backup solution is certainly a vital necessity as part of a comprehensive program, however assessments need to be made to understand its functions and limitations throughout the business.
Further to this, they make the link between incorporating a backup solution with other necessary measures across the organisation, as a standalone ‘silver bullet’, it’s simply not enough.
This approach of seeing data as something that is simply collected and stored increases the already prevalent significant business risk. A risk that continues to multiply with every additional piece of information the business is required to manage.
Instead, organisations need to manage data and content like they would any other asset, ensuring careful protections are implemented as part of a framework approach that doesn’t leave one section unguarded.
The first step is to treat data as having a full lifecycle – i.e. there is a beginning, middle and end, possibly with many steps along the way.
The beginning should involve backup and protection but equally as important is considering the end stages that require information being destroyed, being re-classified and managed differently after a certain period of time, or something else entirely based on its level of sensitivity or purpose within the business.
In this case, it’s quite simple, defensibly destroying data that is no longer required for business or legal purposes, significantly reduces the impact in the event of some kind of breach.
Holistic approaches require company-wide buy-in
Adopting technologies and processes to ensure all data is appropriately identified, classified and managed throughout its lifecycle is only one part of the framework. The people within the organisation are critical to keeping a business’ information secure.
If the various teams are gathering and storing data in a way that does not align with the corporate standards, risks will continue to exist throughout the organisation despite expensive technology investments.
Everyone – from Board members and CEOs, to CIOs and risk officers – need to be involved and accountable for the processes and management of data and information.
Rather than expecting a new process added to an employee handbook will suffice, financial institutions need to invest in a culture of information responsibility that comes from the highest level of the organisation.
This could include training and education for every employee to ensure they truly understand the importance of secure information management, their role in keeping data safe, and the risks of not following the right processes or calling out when colleagues are acting in ways that create business risk.
It further includes ensuring ‘compliance by design’ meaning that users shouldn’t have to move dramatically from their work processes to do the right thing. Making the right thing to do, the easiest thing to do should be the mantra, for both policy and technology implementation.
As business leaders, Board members, and cyber security officers across the financial services sector continue to watch breaches and attacks being reported in the news, now is the time to prepare an end-to-end approach to prevention rather than simply hoping such an attack will not happen to them.
Put end-to-end technology solutions in place, treat data and information as having an end-to-end lifecycle that does not stop when it enters the business, and support employees across the entire business with the tools and knowledge to reduce risk regardless of their level of seniority or specialisation. Essentially, have an arsenal of bullets, rather than relying on the inadequate silver one.
Alyssa Blackburn is Director of Information Management, AvePoint