Who Can You Trust With Your Data?

Uploaded on 2022-06-07 in FREE TO VIEW, BUSINESS-Services-Financial

In a recent survey of some 70,000 consumers across the US, Singapore, UK and Australia, security company Imperva found that just 37% of respondents trust financial services firms to keep their data safe. And it appears that many of us are becoming desensitised to cyber security risks with half of those polled said they couldn’t keep track of the security posture of the organisations they work with.

Another report in January 2022 from UK consumer group Which? suggest that there may be good reasons for concern.

The report accused many UK retail banks of leaving their customers exposed to fraud by neglecting to implement security measures such as website protections and allowing users to set insecure passwords.

Which?’s investigation, conducted with security firm 6point6, tested the online and mobile app security of the UK’s 15 largest current account providers, measuring criteria such as encryption and protection, login, and account management and navigation. 

Cyber attacks on the finance sector are not new, but as large banks and institutions bolster their defences, cyber criminals have turned their attention to high-net-worth individuals and the wealth management industry. A 2020 online survey of 200 family office executives, carried out by Boston Private, an investment group with $14bn under management, found that 26 per cent had suffered a cyber attack. The Boston Private survey found only 31 per cent of smaller family offices had implemented cyber security measures, versus 60 per cent of larger operations.

The most common cyber attack on family offices is phishing and criminals are becoming increasingly sophisticated when it comes to sending fake messages requesting financial information or convincing their victims to make payments to rogue bank accounts. They will often spoof or manipulate email accounts to impersonate genuine payees. An email like this nearly cost a wealthy British art collector £6m when cyber criminals managed to impersonate a genuine art dealer, with whom the collector had been negotiating for a year.

Reasons To Be Fearful 

While money is the big motivator for cyber attacks on financial institutions and wealthy individuals, it’s not the only target.  Financial and personal data in many structured and unstructured forms is worth a lot of money to hackers who can ransom it or sell it for identity theft and phishing. The threats were compounded further through the pandemic with so many people suddenly working from home. Connecting to a network remotely from new devices is risky and if just one endpoint is compromised, it can provide a back door into the whole network. Then there is the human factor, without doubt, the weakest cybersecurity link in any organisation. And while financial organisations invest in security awareness training, someone somewhere is always going to click on a malicious link or open a rogue document. Most recently, the invasion of Ukraine and increasingly unstable global geopolitics has heightened the risks of attacks from state-sponsored criminal groups.

Time For A Change

The traditional way to mitigate these risks is to try to identify and then block malicious activities using anti-virus software and more recent techniques such as threat intelligence centres, endpoint telemetry, zero-trust and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind.

So, why bother trying to identify anything malicious? A better way is to simply block all unauthorised processes from executing. In a business and financial environment, there is generally no reason for a previously unknown application, executable or script to run. If it is not on your list of authorised processes, then it should simply be blocked. A bit like the bouncer on the door. If you’re not on the list, you won’t get in. Using this approach, ransomware attacks on banks and financial institutions can be prevented before any damage is done. 

The other mainstream approach to preventing data theft is to layer up defences to stop cyber criminals from getting in. But a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted to the endpoint and then stolen by copying it externally. 

Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it. And as cyber criminals can only steal data from running systems, full disk encryption cannot prevent this theft.

The answer is to encrypt all of your data, all of the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use no matter where it gets copied - including when it is stolen. 

This way, if cyber criminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say.

This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible and you can’t get closer than the data itself. 

Adopting this data-centric approach would make a big difference and at a time of global conflict and global instability, robust security is more important than ever.

The UK's NCSC is calling for "increased cyber-security precautions", particularly for national critical infrastructure, while US President Joe Biden has called on private companies and organisations in the US to "lock their digital doors", from possible Russian cyber-attack on the US. Data-centric security goes to the heart of the problem by securing data against theft and ransom. 

Nigel Thorpe is Technical Director at SecureAge 

You Might Also Read: 

Never Trust Anything Again - The Zero Trust World:

 

« US Supreme Court Blocks Texas Law On Social Media ‘Censorship’
Deactivated Domains Used For Spear-Phishing »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

AusCERT

AusCERT

AusCERT is the premier Computer Emergency Response Team (CERT) in Australia and a leading CERT in the Asia/Pacific region

WIRED

WIRED

WIRED is the magazine about what's next – the people, the trends and the big ideas that will change our lives. Topics covered include cyber security.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Scale Computing

Scale Computing

Scale Computing is an industry leading application platform for EDGE computing environments covering retail, manufacturing, financial services and government.

Academic Centres of Excellence in Cyber Security Research

Academic Centres of Excellence in Cyber Security Research

The ACE-CSRs scheme is part of the UK Government’s National Cyber Security Strategy, working with academia and industry to make the UK more resilient to cyber attacks.

AlAnsari Technical Solutions (ATS)

AlAnsari Technical Solutions (ATS)

ATS is a Kuwait based company specialised in delivering hardware/software, Virtualisation, IP Telephony / Unified Communication, Networking and professional IT services and solutions.

CIRISK

CIRISK

CIRISK offers a wide range of services from consulting to audit or project management to help you develop your cyber security or information security strategy.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Guardio

Guardio

Guardio develop tools and products to combat modern web and browser threats.

SecureOps

SecureOps

SecureOps is transforming the Managed Security Service Provider industry by providing tailored cybersecurity solutions proven to protect organizations from cyberattacks.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

eaziSecurity

eaziSecurity

eaziSecurity has built an eco-system of technology and services that bring enterprise scale security solutions to the SME marketplace.

Fairdinkum Consulting

Fairdinkum Consulting

Fairdinkum is a leading full-service IT consulting firm with more than two decades of experience in the industry.

Saudi Information Technology Company (SITE)

Saudi Information Technology Company (SITE)

SITE is a forward-thinking enterprise, which aims at revitalizing Saudi Arabia’s digital infrastructure, cybersecurity, software development, and big data and analytics capabilities.

AI or Not

AI or Not

AI or Not - Leverage AI to combat misinformation and elevate the landscape of compliance solutions.