Ongoing hybrid working practices threaten to leave financial institutions exposed after the pandemic.
The pandemic has been devastating for many people and firms, however, some found a silver lining. As bad as things might have been for people, economies and society, it was boom-time for cyber criminals. They flourished during 2020, and will continue to
be a major threat as we get back to business.
The figures are bleak. Reports of cybercrime shot up by almost
70% in the US compared to 2019, and the UK saw a
31% increase. Lockdown created an ideal environment for cyber criminals: overnight, businesses had to convert to remote working models, people had to work off their own unsecured devices, data became mobile, and businesses had to operate in a way that their
security strategies were totally unprepared for. Mostly, remote working was successful, but it made businesses vulnerable and, if recent surveys are anything to go by, they still are:
58% of businesses think remote working puts them at risk of a data breach with a third of IT decision makers saying employees knowingly put corporate data at risk.
Cybercrime is evolving, as is regulation
Quarterly Fraud Report found that phishing remains the most common approach, but others such as brand abuse (hackers imitating brands) are becoming more common. Phishing accounted for 33% of attacks, up 13% from the previous quarter. With more people banking
online, account takeover attempts soared, and logins to a new account from a new device accounted for 31% of fraud activity. The amount of fraudulent activity originating from a mobile device increased by more than 25%, while the number of fraudulent payment
transactions from mobiles rose by 17%.
Regulators have been understanding of companies having to think on the hoof during the pandemic but will increasingly expect adjustments to new ways of working to be in place, and consequences for businesses such as censure and fines can be mitigated if
strong controls and working practices can be demonstrated. And while regulations do lag behind the emergence of new issues, new and amended regulations are being brought in, for example, the requirement for smartphone manufacturers to tell their users when
they can expect their devices to stop receiving security
updates. We can also expect further changes to cope with some of the unique challenges posed during the pandemic.
Are businesses facing into the challenge?
All signs are pointing to remote and/or hybrid working becoming the norm for many businesses. Businesses will need to overhaul their security strategy to monitor an increase in the use of endpoints, mobile device use and third-party relationships. All these
create new vulnerabilities to already-implemented defences. However, many companies remain surprisingly nonchalant about this gap in defences. Employees have been allowed to buy their own devices which might not have been fully secured. Old versions of software
such as Zoom are still common, complete with a host of security vulnerabilities. Another study by
Tessian, revealed some further startling stats:
· 43% of employees have made mistakes that have compromised cybersecurity
· A third of workers rarely or never think about cybersecurity when at work
· 52% of employees make more mistakes when they’re stressed, while 43% are more error-prone when tired
· 58% have sent an email to the wrong person at work and 1 in 5 companies lost customers after an employee sent a misdirected email.
Even more worryingly, due to the pandemic, many firms are slashing IT departments in an attempt to slash costs.
At a time when the risks are multiplying, companies are compromising their own capacity to counter risks, leaving them painfully vulnerable to attack, and regulators expect firms to maintain the same high standards of security they did before hybrid working.
Ways that firms can do this include using technology to keep up to date with regulatory insights and using collaborative tools to ensure every step is taken to satisfy regulators. While firms’ employees and resources dwindle, it has never been more important
to ensure obligation changes are tracked, and this is where regulatory technology like Waymark’s can help.
A further step is for firms to build on the role of the IT department, ensuring every employee is trained in cybersecurity practices and that only approved and secured devices are used to connect to central systems. Undertaking a full risk assessment to
identify areas of vulnerabilities and remedial measures is crucial.
If nothing else, these efforts will show regulators that they have taken all reasonable measures to secure their systems. This will play an important part in how any data breach is treated, if and when it occurs.