Is there an answer to the onslaught of cyber attacks faced by financial services firms?Shannon Simpson, cyber security and compliance director at Six Degrees, suggests an outsourced approach as one way to address security challenges
Financial institutions are under siege, falling victim to cyber security attacks 300 times more frequently than businesses in other industries. The growth in volume and sophistication of cyber-threats, combined with tightening regulations, mean that financial institutions are having to step up their security postures significantly.
Meeting contemporary cyber-threats head-on requires a high level of staff awareness and training, along with well-defined processes and sophisticated security systems that need to be closely monitored and managed. In addition, financial institutions deal with highly confidential data that needs to be stored and managed securely and in a compliant manner without unduly impacting on agility and business as usual (BAU) requirements.
This is no small task. When it comes to prioritising and strengthening cyber security, one logical approach that may just be the answer for many financial institutions without the skills or the depth of resource to manage their security posture is to work with a partner that has the right combination of technology and services.
Under the radar cyber attacks costing financial services firms $924,390
But where to start, and what to look for?
Financial institutions are increasingly looking to work with technology partners that can deliver the full spectrum of IT managed services and support. Evolving cyber-threats are forcing managed service providers to re-evaluate their security offerings, which is leading to improvements in the outsourced security options available to financial institutions.
Seven in ten FTSE 100 companies are not ready for the next major DNS attack, says study
However, not all technology partners are equal when it comes to financial institutions’ unique needs. Here are five considerations that businesses in the finance sector can take before outsourcing their cyber security function.
- Choose a technology partner that can provide support throughout the security journey. The right technology partner should support the organisation, from initial advice on what needs to be done, through the implementation of best practices to compliance testing and remediation. They should help to identify gaps in people, processes and technology, and help to test against vertically-aligned compliance regimes.
- Ensure that the prospective technology partner is vertically aligned. Every sector has its own unique security requirements and technology drivers. This is especially true in the finance sector, where technology providers will be expected to engage with investors and support with any engagement needed with regulatory bodies.
- Establish a security posture in relation to peers. Many financial institutions find it beneficial to benchmark their security posture against their peers, especially at board level. Depending on whether it’s relevant for a financial organisation, it’s important to ensure that the work undertaken with a technology partner has the ability to provide this information.
- Build a picture of cyber security risk and maturity and make better business decisions. Look for a technology partner that will help to continuously make prioritised, actionable cyber security decisions to improve business resilience, while adapting to emerging business objectives, changing technology and the evolving threat landscape. Remember that this partner will be a third party supplier and will present a risk. Any organisation’s risk management processes should be robust enough to determine whether risk is reduced or increased by the use of a third party based on the data and access in question. A good partner will help with this.
- Check security accreditations. It should go without saying, but when it comes to security a technology partner should practice what they preach. ISO 27001 and Cyber Essentials Plus are a minimum (though the scope of these certifications should be checked), PCI DSS (if credit card data is involved) and PSN Service Provider (public sector) are mandatory in their respective fields. However, it’s more important to check firsthand – ask to see recent penetration test results, network designs, security policies and physical sites.
Hardening the security posture of a financial institution and guarding against cyber-threats can be made significantly more straightforward by working with an experienced technology partner. Choosing the right one requires appropriate diligence, and this is especially true for financial institutions dealing with unique pressures from investors, regulatory bodies and ever more cunning and resourceful cyber criminals. It may seem onerous, but making the right choice of a partner means being equipped with what is needed to tackle today’s cyber-threats head on.
Written by Shannon Simpson, cyber security and compliance director at Six Degrees
The Open Banking initiative: One year on — what’s changed and what can we expect?