Why IT Security Hygiene is so Crucial for Financial Services Firms

Written by

The UK financial services sector is going from strength to strength, and even during a period characterized by political uncertainty, it still enjoys a dominant position on the European stage.

In certain corners of the financial services market, such as the burgeoning fintech sector, business is booming as fintech firms embrace digital technologies that materially improve customer satisfaction and provide an omni-channel banking experience.

It’s not just the fervent start-up scene – banks and larger legacy firms are rapidly developing their digital teams and online propositions in line with shifting consumer demand.

This period of growth for financial businesses is creating its own set of challenges though. These were bleakly detailed in a report by audit firm RSM, which analyzed data from the Financial Conduct Authority (FCA), finding that 819 incidents of cybercrime had been recorded by the FCA in 2018 – denoting a more than 1000% increase from 2017’s figures.

An uptick in cyber incidents can be attributed to firms getting better at reporting cybersecurity incidents to the regulator, but it would be short-sighted to overlook the combination of more sophisticated cyber-attacks and increasing demands placed on IT teams as a contributing factor. 

IT security and operational challenges
Modern IT teams must maintain compliance with an evolving set of regulatory standards, track and secure sensitive data across endpoints, and manage a dynamic inventory of physical and cloud-based assets, all while fulfilling an executive mandate to make technology an enabler for business growth. Balancing these priorities often cause significant challenges and trade-offs for many business and IT leaders. 

Our latest study shows that 95% of UK CIOs and CISOs have had to make compromises in how well they are able to protect their organizations from disruptions to technology, including cyber threats and outages.

When asked about the key reasons for making these compromises, 35% cited pressure to keep the lights on, with almost a third (31%) suggesting that being hamstrung by legacy IT commitments restricted their security efforts. These findings suggest that many IT and security leaders are having to juggle business priorities and their own internal security requirements.

Disjointed priorities between IT security and operations teams can also make critical security oversight almost impossible. In fact, almost a third of UK CIOs and CISOs said that departments and business leaders work in silos, leaving them with a lack of visibility and control over all their IT endpoints – whether that’s laptops, servers, virtual machines, containers, or even cloud infrastructure.

It’s also especially telling that third party failure and hardware/software issues are among the root causes of cyber incidents in the financial services sector. As businesses evolve, it becomes harder for centralized IT teams to keep a track of third party suppliers contracted by increasingly autonomous parts of the business, which is somewhat a problem of the cybersecurity industry’s own making.

The industry has spent that last decade talking to firms about using different security tools for different threats without a true appreciation for data normalization - this has invariably led to a huge and fragmented selection of point solutions, which has left the enterprise environment brittle, vulnerable and lacking the resilience to actually tackle threats and disruption.  

Visibility and control of computing devices is key 
It’s easier than ever for adversaries to access and build tools that attack the weak points in enterprise infrastructure and harder for businesses to have oversight over them all. When you think that infected endpoints can escalate to security-wide incidents in merely a matter of minutes, any delay in arriving at a way to mitigate the threat can prove to be disastrous. 

It’s all the more worrying when you consider that our research identified that 83% of CIOs and CISOs in the UK found that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed to as a result. With a large percentage of cybercrime tied in some way to patching problems, organizations can’t afford to hold back critical patches.

Companies need to ensure that foundational security concepts are in place to protect their networks, which includes secure configurations on all devices, applying patches in a timely manner and improving the speed at which companies identify and respond to attacks. 

As we move towards 2020, incidents of cybercrime are only likely to increase if organizations in the financial sector don’t push for organization-wide visibility and control of their digital assets. Without visibility of endpoint and infrastructure data in real-time, IT and security leaders will struggle to both keep complex systems running smoothly and defend.

This is the only way to truly stop cyber-attackers firmly in their tracks and ensure resilience against business disruption across financial services firms.

What’s hot on Infosecurity Magazine?