Who Can You Trust With Your Data?

In a recent survey of some 70,000 consumers across the US, Singapore, UK and Australia, security company Imperva found that just 37% of respondents trust financial services firms to keep their data safe. And it appears that many of us are becoming desensitised to cyber security risks with half of those polled said they couldn’t keep track of the security posture of the organisations they work with.

Another report in January 2022 from UK consumer group Which? suggest that there may be good reasons for concern.

The report accused many UK retail banks of leaving their customers exposed to fraud by neglecting to implement security measures such as website protections and allowing users to set insecure passwords.

Which?’s investigation, conducted with security firm 6point6, tested the online and mobile app security of the UK’s 15 largest current account providers, measuring criteria such as encryption and protection, login, and account management and navigation. 

Cyber attacks on the finance sector are not new, but as large banks and institutions bolster their defences, cyber criminals have turned their attention to high-net-worth individuals and the wealth management industry. A 2020 online survey of 200 family office executives, carried out by Boston Private, an investment group with $14bn under management, found that 26 per cent had suffered a cyber attack. The Boston Private survey found only 31 per cent of smaller family offices had implemented cyber security measures, versus 60 per cent of larger operations.

The most common cyber attack on family offices is phishing and criminals are becoming increasingly sophisticated when it comes to sending fake messages requesting financial information or convincing their victims to make payments to rogue bank accounts. They will often spoof or manipulate email accounts to impersonate genuine payees. An email like this nearly cost a wealthy British art collector £6m when cyber criminals managed to impersonate a genuine art dealer, with whom the collector had been negotiating for a year.

Reasons To Be Fearful 

While money is the big motivator for cyber attacks on financial institutions and wealthy individuals, it’s not the only target.  Financial and personal data in many structured and unstructured forms is worth a lot of money to hackers who can ransom it or sell it for identity theft and phishing. The threats were compounded further through the pandemic with so many people suddenly working from home. Connecting to a network remotely from new devices is risky and if just one endpoint is compromised, it can provide a back door into the whole network. Then there is the human factor, without doubt, the weakest cybersecurity link in any organisation. And while financial organisations invest in security awareness training, someone somewhere is always going to click on a malicious link or open a rogue document. Most recently, the invasion of Ukraine and increasingly unstable global geopolitics has heightened the risks of attacks from state-sponsored criminal groups.

Time For A Change

The traditional way to mitigate these risks is to try to identify and then block malicious activities using anti-virus software and more recent techniques such as threat intelligence centres, endpoint telemetry, zero-trust and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind.

So, why bother trying to identify anything malicious? A better way is to simply block all unauthorised processes from executing. In a business and financial environment, there is generally no reason for a previously unknown application, executable or script to run. If it is not on your list of authorised processes, then it should simply be blocked. A bit like the bouncer on the door. If you’re not on the list, you won’t get in. Using this approach, ransomware attacks on banks and financial institutions can be prevented before any damage is done. 

The other mainstream approach to preventing data theft is to layer up defences to stop cyber criminals from getting in. But a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted to the endpoint and then stolen by copying it externally. 

Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it. And as cyber criminals can only steal data from running systems, full disk encryption cannot prevent this theft.

The answer is to encrypt all of your data, all of the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use no matter where it gets copied - including when it is stolen. 

This way, if cyber criminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say.

This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible and you can’t get closer than the data itself. 

Adopting this data-centric approach would make a big difference and at a time of global conflict and global instability, robust security is more important than ever.

The UK's NCSC is calling for "increased cyber-security precautions", particularly for national critical infrastructure, while US President Joe Biden has called on private companies and organisations in the US to "lock their digital doors", from possible Russian cyber-attack on the US. Data-centric security goes to the heart of the problem by securing data against theft and ransom. 

Nigel Thorpe is Technical Director at SecureAge 

You Might Also Read: 

Never Trust Anything Again - The Zero Trust World:

 

« US Supreme Court Blocks Texas Law On Social Media ‘Censorship’
Deactivated Domains Used For Spear-Phishing »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Security Audit Systems

Security Audit Systems

Security Audit Systems is a website security specialist providing website security audits and managed web security services.

Tinfoil Security

Tinfoil Security

Tinfoil is a simple, developer friendly service that lets you scan your website for vulnerabilities and fix them quickly and easily.

Egerie

Egerie

EGERIE's RiskManager solution provides a Global, Centralized, and Updated view of risk maps and security measures for your company.

6cure

6cure

The 6cure Threat Protection solution eliminates malicious traffic to critical services in real time and protects against DDoS attacks.

Online Business Systems

Online Business Systems

Online Business Systems is an information technology and business consultancy. We design improved business processes enabled with robust and secure information systems.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Xperien

Xperien

Xperien is a leading South African Information Technology Asset Disposition (ITAD) company.

Strategic Cyber Ventures (SCV)

Strategic Cyber Ventures (SCV)

SCV grow cybersecurity companies that disrupt advanced cyber adversaries and revolutionize the cyber product marketplace.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity.

Stanley Reid & Company (SRC)

Stanley Reid & Company (SRC)

Stanley Reid & Co is an Executive and Technical Search Firm serving the commercial market and the US Intelligence & Defense community. Our areas of expertise include Cybersecurity.

ToucanX

ToucanX

ToucanX has eliminated remote attack vectors without sacrificing productivity. We’ve brought embedded near real time virtualization to the enterprise endpoint.

Kontron

Kontron

Kontron offers a combined portfolio of secure hardware, middleware and services for Internet of Things (IoT) and Industry 4.0 applications.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

The Security Bulldog

The Security Bulldog

The Security Bulldog distills and assimilates open source cyber intelligence to enable security teams to understand threats more quickly, make better decisions, and accelerate detection and response.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.