Business
Dissecting UK cybersecurity: The categories you need to know
By Richard Yew, Senior Director, Product Management – Security at Edgio
Cybersecurity has diversified with businesses constantly trying to counter the ever-increasing number of new threats. Budgets often do not increase at the same pace and the industry remains plagued by a shortage in personnel resources.
Today, 40% of Brits working from home and shopping is more popular in the UK than in any other country. The cybersecurity risks associated has left businesses with a sprawling landscape to keep secure.
Understanding the cybersecurity solutions to choose in such a diverse market can be incredibly challenging. Areas that are non-negotiable in this post-pandemic landscape are Endpoint Security, Managed detection and response (MDR) and holistic Web Application and API Protection (WAAP).
These areas are foundational to any cybersecurity programme, and each has a role to play in keeping organisations protected.
Endpoint security
Endpoint solutions focus on defending endpoints including mobile devices, laptops, Internet of Things (IoT) devices, point-of-sale (POS) systems, or simply any device that connects to a network. Any endpoint can be an attack entry point, and with over 29 billion IoT devices forecasted to be in operation by 2030 the scope for risk will double. This means that businesses of any size can find themselves vulnerable to a cyberattack.
It can be challenging to deploy endpoint protection effectively with a diverse mix of device types, operating systems, with many companies having the additional burden of supporting bring your own device (BYOD) policies. Nevertheless, endpoint protection platforms are always evolving to detect malicious activity and prevent file-based malware attacks, while allowing security engineers to investigate and respond to incidents, wherever necessary. As endpoints are a wide entry point into an organisation from which attackers often aim to move laterally, effective endpoint protection is essential for organisations of any size.
Management detection and response (MDR)
An element of cybersecurity that combines human and technological expertise, management detection and response (MDR) is a service that typically covers monitoring, response, and cyber threat hunting. MDR reduces the strain on internal staff and the alert fatigue they often face, instead allowing experts to monitor devices, applications and networks remotely to keep these systems secure, and respond quickly when under attack.
This combination of technology and services works in tandem with in-house IT and DevSecOps teams, providing mature capabilities in observation, detection, and response, ultimately lowering risk and allowing companies to focus more on their core business. Given a global shortage of around 3.4 million cybersecurity professionals, MDR is a great way for organisations to gain round-the-clock cybersecurity support they need, without the high CapEx for new staff (which are very hard to hire and retain).
Managed Security
Much like MDR, security as a service (SECaaS) outsources cybersecurity to remote experts. However, this solution is a cloud-delivered model at its core and is hosted by cloud providers. Thanks to this, SECaaS has soared in popularity, offering lower costs than in-house investments and scaling to handle any cybersecurity demands.
As SECaaS works on a subscription basis, businesses only need to pay for the services they need, when they need them. Outsourcing security frees up resources and gives internal IT teams the time and confidence to work on other projects. Hosted in the cloud, SECaaS also allows organisations to access the latest security tools, patches, and updates immediately, with no need for onsite deployment and extended downtime. SECaaS is a great option for organisations that want to completely outsource their cybersecurity and move to the cloud.
Web Application and API Protection (WAAP)
Web applications provide critical services and experience for customers and employees alike. Besides endpoint devices mentioned earlier, they also represent an expanded threat vector for attackers to exploit. In fact, for several years running, web applications have been the top vector across all data breaches according to Verizon’s Data Breach and Investigations (DBIR) report. For this reason, having a holistic web application and API protection (WAAP) solution with multiple layers of protection for an organisation’s networks and web infrastructure becomes critical.
WAAPs provide protection against a wide range of critical threats targeting high value websites and applications, including injection and remote code execution (RCE) attacks, malicious bots attempting account takeover (ATO), or ransomware DDoS attacks, just to name a few. An effective WAAP protects against these types of evolving threats and many more.
There are some critical elements to a WAAP offering. First, find integrated solutions that can be managed from a single pane of glass. A configuration information, as well as analytics, all in one console reduces complexity that can lead to misconfigurations, while also making it easier for security teams investigating incidents.
Parsing logs from separate solutions and consoles is difficult. A Gartner survey conducted in 2022 found that 75% of organisations plan to consolidate security tools, with most respondents agreeing, less complexity leads to a stronger security posture.
Second, make sure to consider WAAP solutions that scale with your business, and with attacks. It’s important to consider that point solutions, while often providing innovative best-of-breed features, generally run on smaller, more centralised networks. API integration makes these tools easy enough to set up, but they add latency – detection requires an additional hop to a cloud decision engine.
Furthermore, the networks they run on are relatively small compared with edge/CDN-integrated security. This becomes important if you are targeted by a large-scale automated attack, such as DDoS. Lastly, it’s important to choose a WAAP solution with simple, predictable pricing. You never know when an attack will happen- you just know it will. Look for vendors that don’t charge you extra when you’re under attack. Reputable vendors take their customers’ security very seriously, but it feels pretty bad to get hit with an unexpected, large bill even after effectively mitigating a major attack. But there are options out there now, should you wish to lock in predictable pricing, aligned to your best interests.
Cybersecurity from the start
It cannot be ignored by any business. It can be daunting, but understanding the difference in solutions is critical for businesses.
From endpoint security and MDR to WAAP, each service provides an important set of security reassurances. Work with a reputable, trusted partner that can put your mind at ease – no matter the solutions you choose to implement.
You may like
Business
The Power of Purpose in the Financial Services Industry
Source: Finance Derivative
Becky Willan, CEO and Co-Founder of Given
The Challenge
Banks and businesses in the financial services industry are coming under greater scrutiny for not only how they invest their money but, increasingly, who they invest it with.
In June, Barclays came under attack – quite literally, with 20 branches vandalised across the UK – over accusations of links to defence companies supplying Israel. This led to the suspension of their sponsorship of all Live Nation music festivals, and prompted the bank’s chief executive, CS Venkatakrishnan, to write an opinion piece in the Guardian about what he called “a campaign of disinformation against Barclays”.
Lloyds Banking Group is another high profile example after its AGM was disrupted by pro-Palestinian and climate activists in May. Two years ago the bank committed to end direct funding of new oil and gas exploration projects, but for some this does not go far enough, with the protesters demanding Lloyds divest from all fossil fuel and arms companies.
This comes amid growing concerns about the lack of sufficient capital to fund the transition from “grey to green”. As we have seen, financing projects from oil and gas companies, even if there’s a clear decarbonisation agenda, now comes with increasing reputational risk for banks. And yet we can’t achieve a low carbon economy without system-wide transformation.
The banking industry operates in a challenging space when it comes to navigating purpose, but do these institutions deserve the level of criticism we’re seeing in the media?
What we do know is that businesses operating in the sector need to have more clarity and focus around what their purpose is.
Our recent Purpose Gap Report revealed that over a quarter of respondents in the financial services industry (26%) are actively thinking about leaving their current job role due to their company’s failure to deliver on corporate purpose promises. This compares to a 13% average across all sectors looked at in the report. At twice the rate of dissatisfied employees, financial services appears to be lagging behind other industries.
Additionally, over half (56%) of consumers say it is important to them that their bank acts sustainably and/or ethically. It is therefore essential for businesses in the financial services industry to consider carefully their purpose and corporate values and ensure they align with the causes their stakeholders are passionate about.
Making this change, while important to the longevity of the institution, can be complicated to implement and investment decisions are not always clear-cut.
According to the same report, additional blockers cited by those in finance wishing to make positive change were among the following:
- It is too costly
- There is a lack of understanding across the business around potential positive impact
- It is not a business priority
- There is an overall lack of commitment from leadership
- There is a lack of integration of purpose within employees’ roles
A year on from the fallout of the Coutts / Nigel Farage scandal, which saw Dame Alison Rose step down from her position as NatWest’s chief executive, some are fearful of the risks associated with moving away from business as usual.
Widely reported at the time was Coutt’s internal memo that the Reform UK MP’s views were “at odds with our position as an inclusive organisation.” Whether this was about principles, or politics, the scandal brought purpose into the spotlight.
Missteps can happen in any walk of business, but we need to remember that purpose is about good business and strategic focus, not taking a moral high ground.
Adopting a purpose-driven business approach is also not in lieu of profitability – indeed it is essential. Profit without purpose is meaningless and purpose without profit is unsustainable.
The significance of profitability with purpose
The business case for purpose is now truly evident. Financial services organisations that contribute positively to a sustainable and inclusive future are simultaneously driving their own success.
A report by Deloitte last year found that most consumers agreed that a business’s commitment to sustainability affects their level of trust in the company. The study also suggests around a quarter of shoppers are willing to pay more for products that are more sustainable or committed to more ethical practices.
With investors, customers, and wider society increasingly demanding ethical, sustainable and positive actions from businesses, purpose-driven companies not only attract a wider, more impact-conscious group of stakeholders, but also see improved performance and greater resilience.
An Interbrand study found that purposeful brands, set on improving our quality of life, outperform the stock market by 120%.
Additionally, purpose-led brands attract and retain the best and most passionate employees, with EY reporting 84% of staff found it important to work for an organisation that positively impacts society.
A better way to bank
Nationwide is an example of a financial services model flourishing while helping change the world for the better. The building society has experienced year-on-year growth in the number of current accounts held since 2011, with a market share of 10.4% last year.
Boasting over 17 million customers, and a balance sheet of £272 billion, the institution celebrated its £2 billion profits earlier this year by offering a £100 profit share to each of its members under the Fairer Share initiative.
Additionally, the institution also donates 1% of pre-tax profits to charity, as part of its Fairer Futures initiative – a project developed alongside us at Given.
Led by its social purpose, Nationwide donates to partners working to combat homelessness; families living in poverty; and those suffering with dementia. Last year alone, charitable donations came to £15.5 million.
Asking the right questions
In the highly regulated financial services sector, boards of directors play a critical role in ensuring compliance with environmental, social, and governance (ESG) standards.
This extends beyond simple financial oversight to include the integration of ESG principles into the company’s goals and risk management frameworks, along with promoting ethical conduct and sustainability practices.
Board members will not find their questions answered by an aspirational turn of phrase about an organisation’s role in the world. Instead, purpose must be understood as a complete management strategy that is embedded into every part of an organisation. The right questions go beyond the ‘why’ to consider the ‘what’ and the ‘how’ too.
Businesses must create a space for learning, reflection and the idea that they can do better. Most boards regularly evaluate their effectiveness in governing a business. Not many look at this through the lens of purpose.
An annual “purpose stock-take” could ultimately be a valuable exercise ensuring that purpose really is embedded into the company culture and governance structure. It could involve asking the following five big questions:
- Are we satisfied with how much of our balance sheet is aligned with our purpose today?
- What are the biggest opportunities our purpose could unlock for our business?
- Would our different stakeholders recognise our purpose as more than simply words on a page?
- Are we clear on our “red lines” – the purpose promises we won’t break in pursuit of profit?
- When was the last time we challenged a decision on the grounds of our purpose?
Final Thoughts
Financial institutions are now being scrutinised more than ever, but there is more than just reputational risk at stake. There is one final question those in the sector should ask themselves: what risks are we exposed to by not clearly defining and living our purpose?
The repercussions here could be incredibly damaging to the overall health of a business: falling foul of regulation; reduced employee morale and productivity; lack of consumer and investor trust; lack of long-term growth and resilience.
This can be avoided if businesses take the time to define and embed their purpose and values, using them as a management approach to profitably solve problems of people and the planet.
Adopting a purpose-driven approach is a strategy that may seem daunting at first, but asking the right questions and implementing an open and collaborative approach is a step in the right direction.
Business
Why financial institutions must prioritise contact data quality if serious about fraud prevention
Source: Finance Derivative
By Barley Laing, the UK Managing Director at Melissa
According to Nasdaq’s 2024 Global Financial Crime Report $3.1 trillion of illicit funds flowed through the global financial system in 2023.
As a result, it’s not surprising that most in financial services are investing heavily in advanced ID verification technology to protect themselves from fraud and meet Know Your Customer (KYC) and Anti-Money Laundering (AML) regulatory standards.
However, to bolster their ID verification efforts they need to do more, and the best way is by improving customer contact data quality from the outset.
Why is contact data quality so important?
From our experience the quality of contact data is key to the effectiveness of ID processes, influencing everything from end-to-end fraud prevention to delivering simple ID checks; meaning more advanced and costly techniques, like biometrics and liveness authentication, may not be necessary.
When a customer’s contact information, such as name, address, email and phone number are accurate the verification process becomes more reliable. With this data ID verification technology can confidently cross-reference the provided information against official databases or other authoritative sources without discrepancies that could lead to false positives or negatives.
A big issue is that fraudsters often exploit inaccuracies in contact data to create false identities and manipulate existing ones. By maintaining clean and accurate contact data ID verification systems can more effectively detect suspicious activity and prevent fraud. For example, discrepancies in a user’s phone or email, or an address linked to multiple identities, could serve as a red flag for additional scrutiny. This basic capability is more important than ever as identity fraud becomes increasingly sophisticated.
Address verification is the foundation of contact data quality
Address verification – having a consistently accurate, standardised address – is usually recognised as the cornerstone of contact data quality. Once you have access to up-to-date customer addresses it makes it much easier to match and verify identities across multiple sources.
Therefore, verifying the accuracy and legitimacy of an individual’s address should be the first step in any identity related process, with any discrepancies between a claimed address and official records highlighting a potential fraudster.
By catching these inconsistencies early ID verification technology can help mitigate risks, ensuring only legitimate users are granted access to services, protecting both their business and customers from fraud.
Address verification also plays an important role in regulatory compliance, by ensuring that the address information provided meets KYC and AML regulatory standards.
Phone and email verification
As I’ve already touched on it’s not all about having an accurate address, the role of phone and email verification is also vital as part of a comprehensive ID verification process, and therefore in preventing fraud. Particularly when it comes to helping organisations to identify and mitigate possible fraudulent activity early on. Verifying all three contact channels together contributes to enhanced security by filtering out fake or high-risk contact information, improving the accuracy of the ID verification process.
Email verification involves analysing various factors such as the age and history of the email address, the domain and syntax, and whether the email is temporary. After all, new and poorly formatted email addresses are often tell-tale signs of fraudsters. Furthermore, the association of a single email with multiple accounts could highlight criminal activity. It’s only by checking if an email address exists and works, then examining those elements I’ve already mentioned, that organisations can identify possible high-risk indicators.
Phone verification is equally important in fraud detection. By verifying the type and carrier of the phone number, organisations can identify high risk numbers, such as those associated with VoIP services, which are commonly used in fraudulent activities.
Checking the validity, activity and geolocation of a phone number also ensures it’s not only functional, but consistent with the user’s claimed location. And like with email, a single phone number linked to multiple accounts can indicate fraudulent behaviour.
Deliver contact data accuracy with autocomplete / lookup tools
The best way to obtain accurate customer contact data is to use autocomplete or lookup services.
With an address autocomplete tool it’s possible to deliver accurate address data in real-time by providing a properly formatted, correct address at the onboarding stage, when the user starts to input theirs. Tools such as these are very important because around 20 per cent of addresses entered online contain errors; these include spelling mistakes, wrong house numbers, and incorrect postcodes, as well as incorrect email addresses and phone numbers, typically due to errors when typing contact information. Another benefit of the service is the number of keystrokes required when entering an address is cut by up to 81 per cent. This speeds up the onboarding process and improves the whole experience.
Similar technology can be used to deliver first point of contact verification across email and phone, so these important contact datasets can also be verified in real-time.
In summary
The success of ID verification technology, and therefore fraud prevention, hinges on the accuracy and quality of customer contact data. Having such data not only enhances fraud detection, but improves the user experience and operational efficiency. Financial institutions must make sure that data verification tools are used across address, email and phone, alongside their ID verification technology.
Business
Fortifying Email Security Beyond Microsoft
By Oliver Paterson, Director of Product Management, VIPRE Security Group
Most organisations today are Microsoft software houses. Microsoft 365 is the go-to productivity suite, offering comprehensive tools, flexible licensing, and built-in security features. Employees live and breathe in Outlook, and so many different technologies seamlessly integrate with this indispensable communication tool to deliver productivity gains to business professionals.
However, email-borne cyber threats continue to surge. Malware delivered via email is exponentially increasing. .eml attachments, which often get overlooked in phishing emails, are growing. Cybercriminals are resorting to email scams, alongside phishing emails, and with the arrival of generative AI technologies, users are increasingly finding it challenging to spot these “expertly” written, persuasive emails too.
The reason for this growth in email-led attacks? Cybercriminals are exploiting the ubiquity of Microsoft – and indeed our trust in the software. It is no wonder that today Microsoft is the most spoofed URL.
Microsoft, a software powerhouse, but not an email specialist
Microsoft is undeniably a technology powerhouse, but its primary focus or specialty isn’t email security. Historically centered on infrastructure, operating systems, and cloud services, email security is a small part of its vast ecosystem. For example, while the company offers features like SafeLinks and SafeAttachments to protect against phishing scams, these are often limited to the priciest licenses. As a result, many organisations aren’t able to benefit from the depth of functionality that is needed for robust email protection.
The shortcomings of Microsoft’s security tiers
Microsoft offers a range of security packages for its Microsoft 365 and Office 365 suites, from E1 and E3 to the premium E5. While this tiered approach allows organisations to tailor licenses to employee roles, it also introduces vulnerabilities. Higher-tier subscriptions like E5 provide advanced security, but they’re costly. Lower-tier licenses often lack critical protections against impersonation and zero-day threats—gaps that cybercriminals eagerly exploit.
Furthermore, Microsoft’s user caps (e.g., 300 users on Business Premium) sometimes can lead organisations to make risky compromises in pursuit of cost savings. This mix-and-match strategy can result in blind spots, as lower-tier subscriptions typically lack advanced threat visibility tools, hampering investigation and response times.
Configuration conundrums
The Microsoft security portal, while comprehensive, is also complex. Take Link Protection (aka Microsoft SafeLinks) as an example. This feature needs enabling in multiple locations, and with Microsoft’s routine updates, these settings can be moved, altered, or even disabled by default. Such inadvertent misconfigurations not only pose security risks but also burden IT teams with constant vigilance and reconfiguration.
Static intelligence versus real-time threats
Microsoft’s reliance on third-party security feeds means its threat intelligence is often outdated. The company’s vast and complex platform requires time-consuming updates, and with email security being just one part of its portfolio, critical updates may not always be prioritised. A delay of even a day or two is all a zero-day attack needs to succeed.
A layered approach to email security
So what can organisations do? In an era where a single email can cripple a business, firms need to bolster Microsoft 365’s standard security. By understanding its limitations and layering on specialised protection, organisations can fortify their email defenses, with additional, advanced security capabilities, without breaking the bank. Due to the relentless onslaught of threat actors, such caution is essential.
Capabilities such as Link Isolation and Sandboxing are vital today to protect against zero-day threats. Link Isolation renders malicious URLs harmless, while Sandboxing automatically isolates suspicious files in a virtual environment for safe analysis. These methods provide real-time monitoring and intelligence, enabling proactive defense.
No matter how advanced technology gets, it alone can’t solve everything. User awareness is key, and “in-the-moment” training trumps the typical periodic sessions for cybersecurity education. When users are immediately informed why an email or attachment was blocked, along with the telltale signs of malice, the lesson is more likely to stick.
Many organisations, and especially the smaller and growing firms, can’t afford top-tier Microsoft licenses for all employees or indeed maintain in-house IT teams to address the gaps in security capabilities. Partnering with third-party security services providers across different aspects of the function is a viable option as no single software or platform can provide all the security techniques and capabilities. This approach is not only more cost-effective but also provides the technological expertise needed for protection in today’s rapidly evolving threat landscape. Reducing reliance on a single security provider is an astute approach to minimising business risk.