Connect with us

Technology

WHY RANSOMWARE READINESS IN THE FINANCE SECTOR IS CRITICAL

Source: Finance Derivative

By Piers Wilson, Head of Product Management at Huntsman Security

Ransomware attacks have been making headlines recently. From AXA to CNA Financial, no part of the finance sector is impervious to the risks. For many organisations, initial worries focus on the logistics and the cost of a ransom, however, the wider damage and costs increasingly relate to rectification, revenue loss and reputational damage. Attacks, such as in the Kaseya case, have also shown the increasing risks that “trusted” service providers and 3rd party supply chain participants can bring – multiplier effects that can quickly  impact one million endpoints, with a ransom set at US$70m.

The network effect in the financial services sector benefits all stakeholders – from institutions to consumers. The increase in shared data and services, however, compounds the risks of successful cyber attacks. And, as we have seen with the impact of ransomware on pipelines and even food processors, the impact on organisations, and individuals, of being locked out of systems is huge. If customers cannot access funds or transact with service providers across the supply chain, anxiety and costs can escalate and commercial reputations quickly trashed.

An easy way out?

Businesses might have once seen the payment of a ransom as a potential ‘quick fix’ to the problem of ransomware attacks. This option, however, is now likely to become a thing of the past as bans on ransom payments are being contemplated in France and in the US by the SEC and OFAC. . In Australia, there are calls for mandatory notifications of ransom payments by ransomware victims.

Finance sector organisations also need to consider that even when ransoms are paid, the decryption process and returning to business as usual can be so slow that the ability to reinstate operations from their own internal backups and security safeguards can be achieved in the same time. As the scale of attacks and disruption of those impacted by supply chain ransomware attacks escalates, the message is increasingly that time is of the essence. If you can’t trust the decryption key from an attacker, then you are best advised to invest your time and effort in reconstructing, reconfiguring and securing your IT systems and services from the ground up so as to be confident in their integrity.

Despite the possibility that the payment of ransoms will become unlawful, cyber insurance will remain an effective tool for organisations to fund the process of getting back up and running quickly and reducing disruption. Insurers are demanding that prior to issuing a cyber policy, organisations must now show evidence of their having adequate cyber security controls in place. In fact, growing ransomware threats make it likely that insurance premiums will increase even further, so getting verifiable cyber risk management capabilities in place is likely to move even further up the list of board priorities.

A challenging environment

The financial sector also faces some other more particular challenges. Many financial institutions hold vast amounts of personal data, whether on accounts, transactions, users or reports. Complicating this is open banking legislation, like PSD2 in the UK/EU and CDR in Australia, which requires that the process of customer approved sharing of their personal data, is easy and accessible. These rights for consumers to have their personal information held and transmitted between financial sector participants will necessarily redistribute the responsibilities for cyber security in the sector and as a result, increase the levels of cyber security risk during this period of adjustment to a changing environment.

The financial services sector is already – and indeed, always has been – an attractive target for criminals at all levels. The requirement that customers have greater control over access to their data adds the requirement for whole new level of ransomware readiness. Organisations could face anything from disgruntled employees, to fraud, to criminal ransomware attacks seeking to enable the wholesale theft of personal data. The stakes couldn’t be higher; so what can the sector do to protect itself?

Preparing for ransomware attacks

Putting in place anti-virus software and network defences – alongside the rise of endpoint detection and response – can certainly help manage attacks. But these solutions rely on detecting malicious activity in the first place. What if your endpoint or network solution misses the attack, without warning? Do you have visibility into what’s happening? Are there other controls in place that can mitigate the threat? Are they monitored and managed as part of an IT risk management program?

More attention must be given to preventing or at least limiting successful ransomware attacks before they do serious damage.  Getting the basic cyber security controls in place and working to protect recognised threat vectors, really pays dividends as these are precisely the weaknesses that ransomware attackers are likely to exploit.

There are three areas to focus on. The first two are the prevention of any initial infection and containment or limitation of the spread if one does occur. These strategies need to be coupled to a third, recovery, which ensures systems and data can be restored and an incident can be successfully managed. The core principles of effective risk management apply – identify and triage the risks and manage them accordingly.

There are some key safeguards organisations can adopt to support each of these elements:

Prevention

  • Application control – ensuring only approved software can run on a computer system, securing systems by limiting what they can execute.
  • Application patching – applications must be regularly updated to prevent intruders using known vulnerabilities in software.
  • Macro security – checking that macro and document settings are correctly configured and to prevent the activation of malicious code.
  • Harden user applications and browsers – use effective security policies to limit user access to active content and web code.
  • Firewalls/perimeter – and even physical on-site security – limit user access outbound and remote connections inbound.
  • Staff awareness – while not a technical control, building a “cyber culture” and a better understanding by staff of cyber security, the threats and mitigation strategies that can minimise cyber attacks, is vital.

Containment

  • Restrict administrative privileges – limit admin privileges by allowing only those staff needing to access systems to do so, and then solely for specified purposes and within controlled access.
  • Operating system patching – fully patched operating systems will significantly reduce the likelihood of malware or ransomware spreading across the network from system to system.
  • Multi-factor authentication – used to manage user access to highly sensitivity accounts and systems (including remote users).
  • Endpoint protection – install anti-virus software and keep it updated.

Recovery

  • Regular backups – secure data and system backups off-site and test your recovery processes.
  • Incident response – in planning for a worst case scenario make sure everyone is well versed in the incident management playbook.

Gaining assurance in controls

Businesses must make sure they are monitoring their security controls to ensure that they are working effectively. If one control is ineffective, the IT teams need to know quickly to mitigate any shortcomings and reinstate an adequate cyber posture. A “cyber security culture” that ensures these risks are a board level issue will improve overall corporate ransomware preparedness.

The board should receive reports that provide clear visibility of these controls, and leverage these KPIs as part of their cyber security risk management process. They can be used as part of a continuous cyber security improvement program. Being able to monitor readiness and assess the risk of attack provides early warning defence and confirmation that cyber security risk management processes are in hand.

Summary

The financial services sector faces many challenges when it comes to putting in place comprehensive cyber security risk management practices. If a bank or insurer was affected by a significant ransomware attack, the wider implications on the economy could be significant. Recent fuel shortages resulting from the Colonial Pipeline incident gave us a glimpse of the resulting widespread public panic and concern. It was reminiscent of the run on Northern Rock bank branches in the UK in 2007, at the start of the financial crisis. It doesn’t take much to imagine the level of public panic that would ensue if a massive ransomware attack locked consumers out from accessing their funds.

Organisations in the sector must have comprehensive cyber defences and controls, backed up by regular monitoring to make sure they are working effectively, and ensure that if one control fails to identify or prevent an attack, other complementary controls are operational and able to limit its impact.

That way the risk of a successful attack can be minimised, and organisations can maintain effective IT governance to better prevent costly disruption to their systems, operations and reputations.

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Why email marketing remains one of the best forms of digital marketing

Crafting a strong email marketing strategy involves a real balance between creativity and making data-driven decisions, which, is just one of the roles undertaken by marketing and data company Go Live Data on behalf of its many clients.

Guiding some of the biggest corporates in the UK including Amazon Business, AxA and Premierline Business Insurance, Adam Herbert, CEO of Go Live Data, advises on the key components to a successful email campaign and why as one of the most effective marketing tools available, email still plays a crucial role in digital marketing:

Forming a direct means of communication, emails provides a and two-way access between businesses and their customers. And it may sound obvious to say, but unlike social media or other digital channels, every email allows marketers to reach their audience straight into their inbox, and this is where individuals are most likely to engage with the content they’re being shown.

Offering a high return on investment,  emails consistently deliver one of the highest ROI’s compared to other forms of digital marketing such as PPC and advertising. According to studies, the average is around £40 for every £1 spent, which is huge; and due to the low cost of email, its ability to drive conversions and to retain customers.

What’s more, with email segmentation and many personalisation techniques available, marketers can tailor their messages to specific groups of their audience, based on demographics, their behaviours, interests, and purchase history making them not only very targeted, but personalised too. The key is to deliver relevant content to subscribers, which means marketers can increase engagement, conversions, as well as customer satisfaction.

There are specific platforms which allow for automation, giving marketers the ability to set up automated workflows triggered by user actions and also means that marketers can deliver timely and relevant messages at scale, by nurturing leads, as an effective way to guide customers efficiently through the sales funnel.

Emails are also an excellent way to build customer relationships, by nurturing over time. By consistently delivering valuable content, exclusive offers, and personalised recommendations, businesses can strengthen the ‘bond’ with their audiences and increase brand loyalty. Email provides a means of two-way communication, which allows customers to send in their feedback, to ask any questions they may have and to  engage with a brand directly.

They are also a great way to drive traffic to your website, blog and social media, or any other digital channels connected to your business. By including attractive or compelling calls-to-action (CTAs) and relevant content, you can encourage subscribers to take action such as making a purchase, signing up for a webinar, or downloading a resource, which in turn will drive conversions and revenue for your business.

Email platforms offer substantial analytics and reporting functions that enable marketers to track the performance of their campaigns in real-time. Monitoring of key metrics such as open rates, click-through rates, conversion rates, and revenue generated, allows marketers to measure the effectiveness of their campaigns and of course make data-driven decisions to optimise and plan future activities.

Overall, emails are an integral component of a digital marketing and by leveraging email effectively, businesses can engage their audience, nurture leads, drive sales, and ultimately grow their businesses.

Continue Reading

Business

Conflicting with compliance: How the finance sector is struggling to implement GenAI

By James Sherlow, Systems Engineering Director, EMEA, for Cequence Security

GenerativeAI has multiple applications in the finance sector from product development to customer relations to marketing and sales. In fact, McKinsey estimates that GenAI has the potential to improve operating profits in the finance sector by between 9-15% and in the banking sector, productivity gains could be between 3-5% of annual revenues. It suggests AI tools could be used to boost customer liaison with AI integrated through APIs to give real-time recommendations either autonomously or via CSRs, to inform decision making and expedite day-to-day tasks for employees, and to decrease risk by monitoring for fraud or elevated instances of risk.

However, McKinsey also warns of inhibitors to adoption in the sector. These include the level of regulation applicable to different processes, which is fairly low with respect to customer relations but high for credit risk scoring, for example, and the data used, some of is in the public domain but some of which comprises personally identifiable information (PII) which is highly sensitive. If these issues can be overcome, the analyst estimates GenAI could more than double the application of expertise to decision making, planning and creative tasks from 25% without to 56%.

Hamstrung by regulations

Clearly the business use cases are there but unlike other sectors, finance is currently being hamstrung by regulations that have yet to catch up with the AI revolution. Unlike in the EU which approved the AI Act in March, the UK has no plans to regulate the technology. Instead, it intends to promote guidelines. The UK Financial Authorities comprising the Bank of England, PRA, and FCA have been canvassing the market on what these should look like since October 2022, publishing the results (FS2/23 – AI and Machine Learning) a year later which showed a strong demand for harmonisation with the likes of the AI Act as well as NIST’s AI Risk Management Framework.

Right now, this means financial providers find themselves in regulatory limbo. If we look at cyber security, for instance, firms are being presented with GenAI-enabled solutions that can assist them with incident detection and response but they’re not able to utilise that functionality because it contravenes compliance requirements. Decision-making processes are a key example as these must be made by a human, tracked and audited and, while the decision-making capabilities of GenAI may be on a par, accountability in remains a grey area. Consequently, many firms are erring on the side of caution and are choosing to deactivate AI functionality within their security solutions.

In fact, a recent EY report found one in five financial services leaders did not think their organisation was well-positioned to take advantage of the potential benefits. Much will depend on how easily the technology can be integrated into existing frameworks, although the GenAI and the Banking on AI: Financial Services Harnesses Generative AI for Security and Service report cautions this may take three to five years. That’s a long time in the world of GenAI, which has already come a long way since it burst on to the market 18 months ago.

Malicious AI

The danger is that while the sector drags its heels, threat actors will show no such qualms and will be quick to capitalise on the technology to launch attacks. FS2/23 makes the point that GenAI could see an increase in money laundering and fraud through the use of deep fakes, for instance, and sophisticated phishing campaigns. We’re still in the learning phase but as the months tick by the expectation is that we can expect to see high-volume self-learning attacks by the end of the year. These will be on an unprecedented scale because GenAI will lower the technological barrier to entry, enabling new threat actors to enter the fray.

Simply blocking attacks will no longer be a sufficient form of defence because GenAI will quickly regroup or pivot the attack automatically without the need to employ additional resource. If we look at how APIs, which are intrinsic to customer services and open banking for instance, are currently protected, the emphasis has been on detection and blocking but going forward we can expect deceptive response to play a far greater role. This frustrates and exhausts the resources of the attacker, making the attacks cost-prohibitive to sustain.

So how should the sector look to embrace AI given the current state of regulatory flux? As with any digital transformation project, there needs to be oversight of how AI will be used within the business, with a working group tasked to develop an AI framework. In addition to NIST, there are a number of security standards that can help here such as ISO 22989, ISO 23053, ISO 23984 and ISO 42001 and the oversight framework set out in DORA (Digital Operational Resilience Act) for third party providers. The framework should encompass the tools the firm has with AI functionality, their possible application in terms of use cases, and the risks associated with these, as well as how it will mitigate any areas of high risk.

Taking a proactive approach makes far more sense than suspending the use of AI which effectively places firms at the mercy of adversaries who will be quick to take advantage of the technology. These are tumultuous times and we can certainly expect AI to rewrite the rulebook when it comes to attack and defence. But firms must get to grips with how they can integrate the technology rather than electing to switch it off and continue as usual.

Continue Reading

Business

Recognising the value of protecting intellectual property early builds strong foundation for innovators

Innovation Manager at InnoScot Health, Fiona Schaefer analyses an essential facet of developing ideas into innovations

Helping the NHS to innovate remains a key priority during this period of recovery and reform. Even within the current cash-strapped climate, there is the opportunity to maximise the first-hand experience of the healthcare workforce and its knowledge of where new ideas are needed most.

Entrepreneurial-minded, creative staff from any discipline or activity are often best placed to recognise areas for improvement – the reason why a significant number of solutions come from, and are best developed with, health and social care staff.

NHS Scotland is a powerful driver of innovation, but to truly harness the opportunities which new ideas offer for development and commercialisation, the knowledge and intellectual property (IP) underpinning them needs to be protected. That vital know-how and other intangible assets – holding appropriate contracts for example – are key from an early stage.

Medical devices can take years to develop and gain regulatory approval, so from the outset of an idea’s development – and before revenue is generated – filing for IP protection and having confidentiality agreements in place are ways to start creating valuable assets. This is especially important when applying for patent protection because that option is only available when ideas have not been discussed or presented to external parties prior to application.

Without taking that critical initial step to protect IP, anyone – without your permission – could copy the idea, so anything of worth should be protected as soon as possible, making for a clear competitive advantage and ownership in the same sense as possessing physical property.

The common theme is that to be successful – and ultimately support the commercialisation of ideas that will improve patient care and outcomes – the idea must be novel, better, quicker, or more efficient than existing options. Furthermore, to turn it into a sound proposition worth investing in, it must also be technically and financially feasible. It isn’t enough to just be new and novel – the best innovations offer tangible benefits to patient outcomes and staff working practices.

Of course, even more so in the current climate of financial constraints, the key question of ‘Who will pay for your new product or service?’ needs to be considered up front as well.

Whilst development of a strong IP portfolio requires investment and dedicated expertise, when done well and at the appropriate time, then it is resource well spent, offering a level of security whilst developing an asset which can be built upon and traded. There are various ways commercialisation can progress and whilst not all efforts will be successful, intellectual property is an asset which can be licensed or sold to others offering a range of opportunities to secure a good return.

In my experience, however, many organisations including the NHS are still missing the opportunity to recognise and protect their knowledge assets and intellectual property early in the innovation pathway. This is partly due to lack of understanding – sometimes one aspect is carefully protected, whilst another is entirely neglected. In other cases, the desire to accelerate to the next stage of product development means such important foundational steps are not given the attention required for long-term success.

Good IP management goes beyond formally protecting the knowledge assets associated with a project, e.g. by patenting or design registration, however. When considered with other intangible assets such as access to datasets, clinical trial results, standard operating procedures, quality management systems, and regulatory approvals, it is the combination which will be key to success.

Early securing of IP protection or recognition of IP rights in a collaboration agreement, demonstrates foresight and business acumen. Later on, it can significantly boost negotiating power with a licensing partner or build investor confidence.

Conversely, omissions in IP protection or suitable contracts can be damaging, potentially derailing years of product development and exposing organisations to legal challenges and other risks. Failing to protect a promising idea can also mean commercial opportunities are missed, thus leading to your IP being undervalued.

Ideas are evaluated by formal NHS Scotland partner InnoScot Health in the same way whether they are big or small, a product, service, or new, innovative approach to a care pathway.

We encourage and enable all 160,000 NHS Scotland staff, regardless of role or location, to come forward with their ideas, giving them the advice and support they need to maximise their potential benefits.

Protecting the IP rights of the health service is one of the cornerstones of InnoScot Health’s service offering. In fact, to date we have protected over 255 NHS Scotland innovations. Recently these have included design registration and trademarks for the SARUS® hood and trademarks for SCRAM®, building and protecting a recognised range of bags with innovative, intuitive layouts. Spin outs such as Aurum Biosciences meanwhile have patents underpinning their novel therapeutics and diagnostics.

We assist in managing this IP to ensure a return on investment for the health service. Any revenue generated from commercialising ideas and innovations from healthcare professionals is shared with the innovators and the health board through our agreements with them and the revenue sharing scheme detailed in health board IP and innovation policies.

Fundamentally, we believe that it is vital to harness the value of expertise and creativity of staff with a well-considered approach to protecting IP and knowledge input to projects from the start.

Continue Reading

Copyright © 2021 Futures Parity.