Source: Finance Derivative

Niall McConachie, regional director (UK & Ireland) at Yubico

Using mobile phones to sign into online services can offer people a sense of security and convenience. However, when their devices are damaged, lost, or stolen, they can quickly experience why relying on mobile authentication methods is not the best choice when it comes to protecting their online identities.

Despite this, many financial firms and institutions in the UK continue to encourage their customers and employees to use this form of digital authentication when accessing sensitive data. With cyber attacks being the most cited risk to the UK financial system, it is important that leaders understand the increased risks that they take on with continued use of ineffective authentication and poor cyber hygiene practices.

Limitations of mobile devices and passwords

Aside from being easily lost, stolen, or broken, the effectiveness of mobile-based authentication can be limited depending on the user’s location. For example, depending on where the mobile devices are being used, people may not have the reception needed to authenticate into an account. Additionally, they could be locked out of their accounts simply due to the device’s battery running out. However, even without these issues, mobile devices still pose considerable cybersecurity risks.

Indeed, findings from our recent State of Global Enterprise Authentication Survey, show that mobile SMS-based authentication (20 percent), push authenticator apps or mobile one-time passcodes (OTPs) (23 percent), and passwords (23 percent) are believed to be the most secure forms of digital authentication by UK respondents. As financial firms use these methods so often, it is understandable why customers and employees would come to this assumption. However, this is a misconception.

While any form of authentication is better than none, passwords and mobile-based authentication methods – including SMS verification, OTPs, and digital authentication apps – are all vulnerable to many modern cybersecurity threats. These include SIM swapping, phishing, password spraying, man-in-the-middle (MitM) attacks, and ransomware attacks which can all lead to possible data breaches, imposing serious consequences on UK financial organisations.

Improved cyber hygiene practices and training for employees

According to the survey, the primary ways that UK employees signed into their business accounts were with usernames and passwords (53 percent), mobile SMS-based authentication (24 percent), and push authenticator apps or mobile OTPs (19 percent),  indicating that UK employees are not choosing the best form of authentication methods. These practices leave their accounts easily compromised by bad actors. 

Additionally, it is important to note that no authentication solution can be fully effective in mitigating emerging cyber threats if used alongside poor cyber hygiene practices, which play a significant role in reducing an organisation’s cyber resiliency against external threats.

Overall, it appears that UK organisations are not properly enforcing best-practice cyber training amongst their internal staff. Findings show that only 42 percent of respondents are required to go through frequent cybersecurity training. The report also revealed significant lapses in employees’ cyber-hygiene practices. For instance, over the previous 12 months, UK respondents admitted to using a work-issued device for personal use (49 percent), allowing their work-issued device to be used by someone else (33 percent), not reporting a phishing attempt (31 percent), having an account reset due to lost or forgotten credentials (58 percent), and using a personal device for work (58 percent).

These poor habits should be concerning for finance firms because if an employee uses a personal device for work, bad actors can compromise that device and use it as a point of access to target their employer. As 73 percent of UK respondents claimed to have experienced a cyber attack in their personal lives within the previous 12 months – this and other similar scenarios are highly possible.

Moreso, the combination of weak authentication methods and poor digital habits make organisations especially vulnerable to cyber attacks which can directly target their customers, employees, and third party partners as well. Therefore, better cyber hygiene practices should be enforced on a regular basis to protect organisations fully and effectively from emerging threats.

Benefits of alternative authentication methods

For finance businesses looking for alternative methods, it is important to note that there are some forms of multi-factor authentication (MFA) and two-factor authentication (2FA) that are more robust than others. For example, some require users to authenticate with either a hardware security key or identity credential that is unique to the individual user like a fingerprint. With the help of FIDO protocols – globally recognised standards of public key cryptography techniques to deliver stronger authentication – stronger authentication methods like these provide users with a seamless experience when accessing their digital accounts by removing the need for passwords or mobile devices.

The National Cyber Security Centre (NCSC), recommends hardware-based security keys as a phishing-resistant solution against modern cyber attacks. In addition, a growing number of global companies and UK banks have implemented passwordless authentication. Apple, Barclays, Co-operative Bank, Google, HSBC, Microsoft, NatWest, Twitter, and the US Government are just a few reputable organisations which have opted for passwordless authentication.

Customers and staff should not be solely responsible for adjusting their own cybersecurity practices. It is also up to organisations to enhance their digital security by implementing phishing-resistant passwordless solutions. Whether using biometric identifiers or hardware security keys, these solutions are more effective and user-friendly than conventional authentication methods. They also offer robust authentication across multiple devices and accounts, reducing the number of times a user needs to sign in. However, most importantly, implementing business-wide passwordless solutions helps to reinforce an organisation’s security posture and significantly decreases the risk of emerging attacks.

Mobile-based authentication, OTPs, and passwords are some of the most widely used authentication methods but are not the most secure. As the finance sector continues to prioritise passwordless authentication, this will likely change customers’ and employees’ perceptions of what secure authentication truly is. Ultimately, providing users with the most secure authentication possible should be a top priority. With it, financial firms can experience the long-term benefits of improved data security, better user experience, and considerable ROI.

982/750 word minimum

Source: Finance Derivative

Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company

The alternative investment industry is a prime target for cyber breaches. February’s ransomware attack on global financial software firm ION Group was a warning to the wider sector. Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers disrupted trading activities in international markets, with firms forced to fall back on expensive, inefficient, and potentially non-compliant manual reporting methods. Not only do attacks like these put critical business operations under threat, but firms also risk falling foul of regulations if they lack a sufficient incident response plan. 

To ensure that firms protect client assets and keep pace with evolving challenges, the Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements for registered advisors and funds. Codifying previous guidance into non-negotiable rules, these requirements will cover every aspect of the security lifecycle and the specific processes a firm implements, encompassing written policies and procedures, transparent governance records, and the timely disclosure of all material cybersecurity incidents to regulators and investors. Failure to comply with the rules could carry significant financial, legal, and national security implications.

The proposed SEC rules are expected to come into force in the coming months, following a notice and comment period. However, businesses should not drag their feet in making the necessary adjustments – the SEC has also introduced an extensive lookback period preceding the implementation of the rules, meaning that organisations should already be proving they are meeting these heightened demands.

For investment firms, regulatory developments such as these will help boost cyber resilience and client confidence in the safety of investments. However, with a clear expectation that firms should be well aligned to the requirements already, many will need to proactively step up their security oversight and strengthen their technologies, policies, end-user education, and incident response procedures. So, how can organisations prepare for enforcement and maintain compliance in a shifting regulatory landscape?

Changing demands

In today’s complex, fast-changing, and interconnected business environment, the alternative investment sector must continually take account of its evolving risk profile. Additionally, as more and more organisations shift towards more distributed and flexible ways of working, traditional protection perimeters are dissolving, rendering firms more vulnerable to cyber-attack.    

As such, the new SEC rules provide firms with additional instruction around very specific prescriptive requirements. Organisations need to implement and maintain robust written policies and procedures that closely align with ground-level security issues and industry best practices, such as the NIST Cybersecurity framework. Firms must also be ready to gather and present evidence that proves they are following these watertight policies and procedures on a day-to-day basis. With much less room for ambiguity or assumption, the SEC will scrutinise security policies for detail on how a firm is dealing with cyber risks. Documentation must therefore include comprehensive coverage for business continuity planning and incident response.

As cyber risk management comes increasingly under the spotlight, firms need to ensure it is fully incorporated as a ‘business as usual’ process. This involves the continual tracking and categorisation of evolving vulnerabilities – not just from a technology perspective, but also from an administrative and physical standpoint. Regular risk assessments must include real-time threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks.  

Another crucial aspect of the new rules is the need to report any ‘material’ cybersecurity incidents to investors and regulators within a 48-hour timeframe – a small window for busy investment firms. Meeting this tight deadline will require firms to quickly pull data from many different sources, as the SEC will demand to know what happened, how the incident was addressed, and its specific impacts. Teams will need to be assembled well in advance, working together seamlessly to record, process, summarise, and report key information in a squeezed timeframe.

Funds and advisors will also need to provide prospective and current investors with updated disclosures on previously disclosed cybersecurity incidents over the past two fiscal years. With security leaders increasingly being held to account over lack of disclosure, failure to report incidents at board level could even be considered an act of fraud. 

Keeping pace

Organisations must now take proactive steps to prepare and respond effectively to these upcoming regulatory changes. Cybersecurity policies, incident response, and continuity plans need to be written up and closely aligned with business objectives. These policies and procedures should be backed up with robust evidence that shows organisations are actually following the documentation – firms need to prove it, not just say it. Carefully thought-out policies will also provide the foundation for organisations to evolve their posture as cyber threats escalate and regulatory demands change.

Robust cybersecurity risk assessments and continuous vulnerability management must also be in place. The first stage of mitigating a cyber risk is understanding the threat – and this requires in-depth real-time insights on how the attack surface is changing. Internal and external systems should be regularly scanned, and firms must integrate third-party and vendor risk assessments to identify any potential supply chain weaknesses.

Network and cloud penetration testing is another key tenet of compliance. By imitating how an attacker would exploit a vantage point, organisations can check for any weak spots in their strategy before malicious actors attempt to gain an advantage. Due to the rise of ransomware, phishing, and other sophisticated cyber threats, social engineering testing should be conducted alongside conventional penetration testing to cover every attack vector.

It must also be remembered that security and compliance is the responsibility of every person in the organisation. End-user education is a necessity as regulations evolve, as is multi-layered training exercises. This means bringing in immersive simulations, tabletop exercises and real-world examples of security incidents to inform employees of the potential risks and the role they play in protecting the company.

To successfully navigate the SEC cybersecurity rules – and prepare for future regulatory changes – alternative investment firms must ensure that security is woven into every part of the business. They can do this by establishing robust written policies and adhesion, conducting regular penetration testing and vulnerability scanning, and ensuring the ongoing education and training of employees.

Source: Finance Derivative

By Dirk Martin, CEO and Founder of Serviceware

Three years on from the pandemic and economic pressure is continuing to mount more than ever. With the ongoing threat of a global recession looming, inflation rising, and supply chain disruption continuing to take its toll, cutting costs and optimizing budgets remains a top priority amongst the c-suite. Amid such turbulence, the Chief Financial Officer (CFO) and Chief Innovation Officer (CIO) stand firmly at the business’s helm, not only to steady the ship but to steer it into safer, more profitable waters. These vital roles have truly been pulled into the spotlight in recent years, with new hurdles and challenges being constantly thrown their way. This spring, for example, experts expect British businesses to face an energy-cost cliff edge as the winter support package set out by the government is replaced.  

Whilst purse strings are being drawn ever tighter to overcome these obstacles, there is no denying that the digitalization and innovation spurred on by the pandemic are still gaining momentum. In fact, according to Gartner, four out of five CEOs are increasing digital technology investments to counter current economic pressures. Investing in a digital future, driven by technologies such as the Cloud, Artificial Intelligence (AI), Blockchains and the Internet of Things (IoT), however, comes at a cost and to be able to do so – funds must be released through effective optimization of existing assets.

With that in mind, and with the deluge of cost and vendor data descending on businesses who adopt these technologies, never has it been more important for CIOs and CFOs to have a complete, detailed and transparent view of all IT costs. In doing so, business leaders can not only identify the right investment areas but increase the performance of existing systems and technology to tackle the impact of spiralling running costs.

Follow the below 10 steps to gain a comprehensive, detailed and transparent overview of all IT costs to boost business performance and enable your IT to reach the next level.

1: Develop an extensive IT service and product catalogue

The development of an IT service and product catalogue is the most effective way to kick-start your cost-optimization journey. This catalogue should act as a precise overview of all individual IT services and what they entail to directly link IT service costs to IT service performance and value. By offering a clear set of standards as to what services are available and comprised of, consumers can gain an understanding of the costs and values of the IT services they deploy.

2: Monitor IT costs closely

By mastering the value chain, a concept that aims to visualise the flow of IT costs from its most basic singular units through to realised business units and capabilities, businesses can keep track of where IT costs stem from. With the help of service catalogues, benchmarks, the use of a cost model focussing on digital value in IT Financial Management (ITFM) or what is often referred to as Technology Business Management (TBM) solutions, comprehensive access to this data can be guaranteed, creating a ‘cost-to-service flow’ that identifies and controls the availability of IT costs.

3: Determine IT budget management

Knowledge of IT cost allocation is a vital factor when making informed spending decisions and adjustments to existing budgets. There are, however, different approaches that can be taken to this including – centralized, decentralized and iterative. A centralized approach means that the budget is determined in advance and distributed to operating cost centres and projects in a top-down process, allowing for easy, tight budget allocation. A decentralized approach reverses this process – operating costs are precisely calculated before budgeting and projects are determined. Both approaches come with their own risks, for centralized overlooking projects that offer potential growth opportunities and for decentralized budget demands that might exceed available resources.

The iterative approach tries to unify both methods. Although the most lucrative approach, it also requires the most resources. So, the chosen approach is very much dependent on the available resources, and the enterprise’s structural organization.

4: Defining ‘run’ vs ‘grow’ costs

Before IT budget can be allocated, costs should be split into two distinct categories: running costs (i.e. operating costs) and costs for growing the business (i.e. products or services used to transform or grow the business). Once these categories have been defined, decisions should be made on how the budget should be split between them. A 70% run/30% grow split is fairly typical across most enterprises, but there is no one-size-fits-all approach, and this decision should be centred around the businesses’ overall strategies and end goals.

5: Ensuring investments result in a profit

By carrying out the aforementioned steps, complete transparency can be achieved over which products and services are offered, where IT costs stem from, and where budgets are allocated. From here, organizations can review how much of the IT budget is being used and where costs lead to profits and losses. By maintaining a positive profit margin, the controlling processes can be further optimized. If the profit margin is negative, appropriate, or timely, corrective measures can be initiated.

6: Staying on top of regulation

For a company that operates internationally (E.g. it markets IT products and services abroad), it is extremely important that it stays on top of country-specific compliance and adheres to varying international tax rules. To do so correctly it is necessary to provide correct transfer price documentation. This requires three factors:

1. Transparent analysis and calculation of IT services based on the value chain
2.  Evaluation of the services used and the associated billing processes
3. Access to the management of service contracts between providers and consumers as the legal basis for IT services.

7: Stay competitive

Closely linked to the profit mentioned in step five is the question of how to price IT services in order to stay competitive whilst avoiding losses. This begins with benchmark data which can be researched or determined using existing ITFM solutions that can automatically extract them from different – interconnected – databases. From there, a unit cost calculation can be used to define exactly and effectively what individual IT services – and their preliminary products – cost. This allows organizations to easily compare internal unit cost calculations with the benchmarks and competitor prices, before making pricing decisions.

8: Identify and maintain key cost drivers

Another aspect of IT cost control that is streamlined via the comprehensive assessment of the cost-to-service flow is the identification and management of main IT cost drivers. A properly modelled value chain makes it clear which IT services or associated preliminary products and cost centres incur the greatest costs and why. This analysis allows for concise adjustment to expenditure and helps to avoid misunderstandings about cost drivers. Using this as a basis, strategies can be developed to reduce IT costs effectively and determine a better use of expensive resources.

9: Showback/Chargeback IT costs

By controlling IT costs using the value chain, efficient usage-based billing and invoicing of IT services and products can be achieved. If IT costs are visualized transparently, they can easily be assigned to IT customers, therefore increasing the clarity of the billing process, and providing opportunities to analyze the value of IT in more detail. When informing managers and users about their consumption there are two options: either through the ‘showback’ process – highlighting the costs generated and how they are incurred – or through the ‘chargeback’ process, in which costs incurred are sent directly to customers and subcontractors.

10: Analyse supply vs. demand

By following the processes above, transparency regarding IT cost control is further extended and discussions around the value of IT services are made possible across the organization. A more holistic analysis of IT service consumption allows conclusions to be drawn promptly to enable the optimization of supply and demand for IT services in various business areas. This, in turn, will enable a more comprehensive value analysis and optimization of IT service utilization.

Following these 10 cost management steps, a secure, transparent, and sustainable IT cost control environment can be developed, resulting in fully optimized budgets and in turn – significant cost savings. Cost-cutting aside, automating the financial management process in such an environment can boost productivity substantially freeing up time to focus on valuable work, thus leading to overall business growth.

The business and economic landscape is full of uncertainty right now, but business leaders can regain control via cost management, not only to weather current storms but to set themselves up for success beyond today’s turbulence.