Our GRC Solutions Director, Alex Hollis, was recently approached by SC Media, the leading information resource for cyber-security professionals in the UK and Europe, to provide commentary for a headline article, “BoE raises red flag over cyber-risk management in the financial services sector.”
The article discussed how the latest Bank of England Systemic Risk Survey suggests that Brexit is the biggest risk to financial stability in the UK, pushing cyber-attacks into a distant second place.
Alex’s response to the journalist’s questions are below:
Why are financial services organizations still struggling to get to grips with cyber risk management?
“All organizations struggle to maintain a strong framework of control around their IT provisions, unfortunately for financial services they are the most targeted and as such this presents a greater risk as highlighted by the Bank of England. Financial services tops the charts when it comes to being targeted by malware attacks with 27% of malware targeted at this sector (2018 IBM X-Force Report). The majority of this is from organized crime in an attempt to obtain details of high-value targets and where possible to commit grand larceny. Back in the 1970’s prior to the internet, much this crime was committed on a local scale, bank/post office robberies. The introduction of the internet has allowed business to work on a global scale but has also enabled criminals to operate on a global scale. The traditional ‘threat triangle’ requires motivation, capability and locality in order for a threat to be effective, technology has removed the locality as the internet makes everything ‘local’ to a potential attacker.
“Technology continues to improve at an ever-increasing pace. Financial Technology (FinTech) is a fast-growing industry with many startup brands making use of new technology which can conduct financial transactions at an ever-increasing speed. Traditional financial institutions are being pushed to embrace these new technologies at a pace which is putting increasing strain on their IT Management and Security functions to keep up. Control frameworks are not keeping up as financial institutions assume a position of maintaining compliance rather than managing risk.
“Finally, the scale of the task is immense vulnerability and patching is widely accepted to be a mountain that cannot be overcome as each day brings new vulnerabilities, it becomes an issue of prioritizing resource. For those that choose to outsource ensuring that the same level of assurance is being applied to their controls as risk cannot simply be transferred.”
What needs to change in order for these risk management concerns to decline?
“Financial services are not short on money and often try to buy their way out, the technologies purchased are often focused on known attacks. For example firewalls and anti-virus protect against known threat vectors but when you are the specific target of an attack, the approach to security must be predictive and fluid not just focusing on what has happened. A strong program of risk management which focuses on analyzing in detail the threat actors, their known attack vectors and patterns will provide some profiling behaviors. This will, of course, require technology but it is not the technology which will carry out this analysis, it must be focused teams who will continually maintain a register of the risks and the various threat-actors which are looking to exploit those risks. Control frameworks can then be updated in a much more agile and targeted way to reduce the risk, rather than being dependent on generic framework based controls which assume a generic threat. Much like a game of chess the opposition is a human who will react and adapt to the moves made by security professionals, as such it requires intelligence in order to continually recognize and respond to the changing strategies.
“The best way to open up that spending is for IT Management and Security to communicate better. They must convey the connection between risks and the exposure to the business so that senior managers and members of the board can understand the level of protection that is currently being achieved through the various patching and defensive activity as well as the level of threat evaluated by the proactive activity. Stop talking about IP addresses and servers and talk about the effect to the key business processes or information that is at risk.
“Crime and criminality will always continue to exist it will just change shape, so for these cyber risk concerns to decline attackers attempts must become more difficult than the alternatives.”
Read the full SC article here.
Learn about our Risk Management application here.
About Alex Hollis
With over 16 years’ experience in IT, mobile technology and software development, Alex has spent the last seven years specializing in governance, risk, and compliance (GRC). After just six months in the industry, Alex received a platinum-level excellence award for his work around risk bow-tie modeling, Solvency 2 and Basel 3. Now focusing primarily on operational risk, Alex has analyzed, designed and implemented GRC technology into 60 companies, including some of the largest and most complex environments. His experience spans multiple sectors, including telecommunications, aviation, pharmaceuticals, manufacturing, retail, public sector, financial services and insurance. A keynote speaker at prestigious industry conferences.
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity services that give our customers certainty – of risk management/compliance, of cybersecurity, of having answers today and tomorrow. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.