A number of shocking facts were shared at this week’s PIMFA Financial Crime Conference held in London.
Financial Conduct Authority (FCA) head of technology, resilience & cyber, Robin Jones shared some incredible statistics surrounding cybercrime in the UK.
“In the past 12 months, the National Cyber Security Centre recorded over 1100 reported attacks, with 590 regarded as significant. 30 of these required action by government bodies, a number of which included the Financial Sector,” says Jones.
“In real terms, the UK deals with more than 10 significant cyber-attacks every week. In 2017 we had 69 material attacks reported to us, an increase on the 38 last year and 24 the year before. Recent ONS statistics show about 1.9 million incidents of fraud were cyber related.”
In response to this news, Skybox VP EMEA Justin Coker says while financial services have invested heavily into cybersecurity, it’s clear that it’s not deterring attacks or successful breaches.
“Furthermore, with the FCA calling for financial organisations to have a better understanding of their key assets and be constantly assessing where they are vulnerable, it seems that businesses in this sector do have the necessary building blocks – the required security and asset data, toolsets and people but are struggling to amalgamate these into a slick solution that spits out the correct answer,” says Coker.
“Often, they are still operating in silos and largely ineffective in joining up this mass of disparate data and analysing it in order to pinpoint exactly where their real exposures lie. Without this valuable insight, it is no surprise they are struggling to prevent breaches from happening.”
Coker says it’s all well and good to be practicing cyber resilience, however, if you don’t have a proper understanding of your ‘attack surface’ then it becomes an impossible task.
“IT network visibility (particularly as more organisations are making the transition into virtual and multi-cloud environments and growing their networks) is a basic fundamental task that, worryingly, companies simply don’t have. The bigger issue is that there are known unknowns but also unknown unknowns, and hackers are in the position to exploit both,” Coker says.
“This weakness might be explained by the fact that cybersecurity teams in financial services businesses are struggling to work out how they can best use their limited resources to make sense of the complexity and vast amount of information generated by their security tools.”
Coker says at the end of the day it’s impossible to fix everything, which means there is a need to prioritise remediation activities to close down the vulnerabilities that pose the greatest risk to ensure that data breaches and attacks are prevented.
“The real challenge is for financial services firms to completely understand the attack path and fixing it before the bad guy exploits it. Ultimately it is a race against time and the slow and steady tactic just won’t work anymore,” Coker concludes.