A cyber attack which should serve as a warning to the financial service industry

By Robert Rutherford, CEO of QuoStar  

The Financial Conduct Authority (FCA) has announced plans to investigate Equifax following the recent cyber attack on the business. As many as 694,000 UK users were affected, a number that rises beyond 143 million when US customers are included. Although Equifax has welcomed the investigation to “learn the lessons from this criminal cyber attack”, the incident serves as a warning to the financial services industry that cyber criminals are implementing increasingly intelligent ways of outsmarting IT systems.

The truth is that firms in this sector have been facing cyber-attacks for decades, as this industry is especially attractive for criminals who are looking to access financial data. After all, the data being held on these systems not only includes client’s financial and personal details, but also information about the firms as well. It is undoubtedly difficult for banks and financial institutions to continually defend against the constant cyber attacks they face, but IT security must be considered a priority when it comes to budgets.

Why are banks such easy targets?  

The biggest reason that criminals target banks is obvious: money. Financially-motivated cybercrimes account for three quarters of all reported security breaches. This is an issue, with many firms underestimating the importance of cybersecurity. With budgets being evaluated more critically than ever in an effort to reduce costs, financial firms can find themselves working with substandard defences. 

In addition, the computing systems of financial firms are not only incredibly complex, but can include outdated legacy systems. This creates a good opportunity for cyber criminals to target various parts of the communication and transactional systems within these organisations. The individuals behind these attacks understand that bypassing standard controls can provide them with access to the back-end systems, which can lead to a huge loss for the firm and a major gain for the fraudsters.

Without a doubt, cyber criminals have become more patient and more intelligent over the years, especially when they’re financially motivated. Some hackers will watch an organisation for months, sometimes even years, to establish where the vulnerabilities are in its systems are.

What methods should be used to improve cyber security?

Ensuring that IT systems are up to date with the latest software is crucial for any firm, but for banks and other organisations that hold enormous amounts of data, this is even more important. It is still common practice in many companies to allow access to their systems via a password alone, which is unacceptable from a security standpoint. The weakness in password-only protection is widely known, yet it is still being ignored.  Whatever the reasoning behind this decision, it is dangerous and leaves organisations highly vulnerable to cyber-attacks.

ISO 27001 is a global and solid standard that can help greatly in relation to IT security in general, as it enables financial institutions and any other businesses to identify what risks there are to their operations and then assign controls to prevent or minimise the likelihood of them from occurring. The assets, risks and controls are then reviewed continually, creating a living standard that ensures continuous improvement.

The senior leadership also plays a huge role when it comes to cyber security. Rather than placing blame solely on the IT team, the C-level must take full responsibility both when determining a cyber security strategy and in the event of a security breach. Senior management also needs to communicate with employees at all levels in order to understand what the risks are and how the firm can work together to prevent these attacks from happening.

How can staff help to keep IT systems safe?

All members of staff need to know the IT basics as a minimum, no matter what part of the business they may be working in. Most data breaches often occur internally because an employee failed to notice a potential threat to the firm, such as not knowing they were opening an email that contained a virus or a dangerous website link.

Social engineering has always been one of the most effective way to breach a system at its core. It’s not uncommon for a fraudster to ring up a company pretending to be an IT technician in order to convince the employee to handover their login details. In this scenario, the employee who provides these details will essentially be giving the attacker full access to the firm’s network and confidential files. It is therefore vital to train staff in how to identify and handle these communications.

This first line of defence is essential for the financial services industry to protect their data. These individuals are the ones who will be able to spot, block and prevent a security breach in the future. Equifax is a wakeup call, and it’s time for firms to start responding.