Who Can You Trust With Your Data?

In a recent survey of some 70,000 consumers across the US, Singapore, UK and Australia, security company Imperva found that just 37% of respondents trust financial services firms to keep their data safe. And it appears that many of us are becoming desensitised to cyber security risks with half of those polled said they couldn’t keep track of the security posture of the organisations they work with.

Another report in January 2022 from UK consumer group Which? suggest that there may be good reasons for concern.

The report accused many UK retail banks of leaving their customers exposed to fraud by neglecting to implement security measures such as website protections and allowing users to set insecure passwords.

Which?’s investigation, conducted with security firm 6point6, tested the online and mobile app security of the UK’s 15 largest current account providers, measuring criteria such as encryption and protection, login, and account management and navigation. 

Cyber attacks on the finance sector are not new, but as large banks and institutions bolster their defences, cyber criminals have turned their attention to high-net-worth individuals and the wealth management industry. A 2020 online survey of 200 family office executives, carried out by Boston Private, an investment group with $14bn under management, found that 26 per cent had suffered a cyber attack. The Boston Private survey found only 31 per cent of smaller family offices had implemented cyber security measures, versus 60 per cent of larger operations.

The most common cyber attack on family offices is phishing and criminals are becoming increasingly sophisticated when it comes to sending fake messages requesting financial information or convincing their victims to make payments to rogue bank accounts. They will often spoof or manipulate email accounts to impersonate genuine payees. An email like this nearly cost a wealthy British art collector £6m when cyber criminals managed to impersonate a genuine art dealer, with whom the collector had been negotiating for a year.

Reasons To Be Fearful 

While money is the big motivator for cyber attacks on financial institutions and wealthy individuals, it’s not the only target.  Financial and personal data in many structured and unstructured forms is worth a lot of money to hackers who can ransom it or sell it for identity theft and phishing. The threats were compounded further through the pandemic with so many people suddenly working from home. Connecting to a network remotely from new devices is risky and if just one endpoint is compromised, it can provide a back door into the whole network. Then there is the human factor, without doubt, the weakest cybersecurity link in any organisation. And while financial organisations invest in security awareness training, someone somewhere is always going to click on a malicious link or open a rogue document. Most recently, the invasion of Ukraine and increasingly unstable global geopolitics has heightened the risks of attacks from state-sponsored criminal groups.

Time For A Change

The traditional way to mitigate these risks is to try to identify and then block malicious activities using anti-virus software and more recent techniques such as threat intelligence centres, endpoint telemetry, zero-trust and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind.

So, why bother trying to identify anything malicious? A better way is to simply block all unauthorised processes from executing. In a business and financial environment, there is generally no reason for a previously unknown application, executable or script to run. If it is not on your list of authorised processes, then it should simply be blocked. A bit like the bouncer on the door. If you’re not on the list, you won’t get in. Using this approach, ransomware attacks on banks and financial institutions can be prevented before any damage is done. 

The other mainstream approach to preventing data theft is to layer up defences to stop cyber criminals from getting in. But a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted to the endpoint and then stolen by copying it externally. 

Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it. And as cyber criminals can only steal data from running systems, full disk encryption cannot prevent this theft.

The answer is to encrypt all of your data, all of the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use no matter where it gets copied - including when it is stolen. 

This way, if cyber criminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say.

This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible and you can’t get closer than the data itself. 

Adopting this data-centric approach would make a big difference and at a time of global conflict and global instability, robust security is more important than ever.

The UK's NCSC is calling for "increased cyber-security precautions", particularly for national critical infrastructure, while US President Joe Biden has called on private companies and organisations in the US to "lock their digital doors", from possible Russian cyber-attack on the US. Data-centric security goes to the heart of the problem by securing data against theft and ransom. 

Nigel Thorpe is Technical Director at SecureAge 

You Might Also Read: 

Never Trust Anything Again - The Zero Trust World: