Gill Wadsworth looks at how cybercrime has skyrocketed during the pandemic and the solutions on offer.
One trillion US dollars; that was the total hit to businesses that fell victim to cybercrime in 2020. According to figures from Atlas VPN, cybersecurity-related losses have rocketed by 81% since 2018 and their trajectory shows little sign of slowing.
Financial cost is one very real threat from cybercrime, but the reputational damage to companies whose IT systems are undermined can be even more devastating. Research from PwC found that nearly nine out ten consumers (87%) will consider ditching a provider if they have been hacked.
While all companies are vulnerable to the financial and reputational damage of cybercrime, financial services organisations look especially exposed. Data privacy breaches are even more acute given the sensitivity of client information held by banks, asset managers and others.
On the financial side, the risks are also greater. A 2019 study from Accenture found that the average annualised cost of cybercrime for financial services companies globally increased to $18.5m in 2019, which was the highest of all industries included in the research and more than 40% more than the average cost of $13m per firm across all industries.
As a report from PwC into cybercrime says. “Criminals target financial firms because that’s where the money is.”
The cracks appear
This vulnerability of financial organisations to cybercrime has been compounded – and to a certain extent caused – by the Covid-19 pandemic, which forced many employees into home offices that lacked the security to protect them and their employers.
“Working from home became the new normal for many, but most organisations were just not prepared for this sudden shift,” says Eklove Mohan, senior director, technology at Synechron. “The dilemma was to either, first tighten all the nuts and bolts of security and then focus on working from home, or first keep the business running by providing an office at home and then tighten the security. Understandably, organisations chose the latter.”
However, Eklove says this cyber sticking plaster is not going to prove much of a preventative barrier to viruses and other attacks long-term.
“It’s now time to revisit cybersecurity and patch all the loopholes that may have been left open,” he adds. “Organisations need to invest in cybersecurity, whilst also revisiting and fixing issues that have not been prioritised or were even ignored over the past 18 months.”
A sensible starting point lies in getting staff up to speed with their new responsibilities as home workers. A survey by Doherty Associates found that two thirds of employees ignore virus security scans for more than two days. Fifty-seven per cent of the general workforce say they save corporate data to personal devices or cloud-based servers, while two-fifths have made a note of work passwords on a computer, phone, spreadsheet or notebook.
Steve Vinnicombe, chairman of solutions at Delta Capita, says: “A big chunk of cybercrime relies on users being deceived, so training and awareness are critical if companies are to protect themselves. However, we don’t see companies investing enough in this.”
This lack of investment is borne out by the more than two-fifths (42%) of IT decision makers who responded to the Doherty survey believing they are ‘inadequately protected against the threats of home working and that they lack confidence in their existing threat visibility and detection systems’.
Investment in cybersecurity will be critical if financial services are to build appropriate defences against attacks in a post-covid world.
Vinnicombe says, “There are no shortage of industries challenged by Covid-19, but when you consider the cost of paying for cybersecurity you need to step back and look at the sums of money involved. If you are attacked, it will cost a lot more than taking defensive action; trying to save on cybersecurity is a false economy.”
Bolstering the defences
Not investing in cybercrime may well be a false economy but some solutions do not come cheap. Projects to toughen defences will likely require buy-in at board level if they are to be successful. For financial services companies – where cybersecurity should be a major priority – it may be beneficial to appoint a chief information security officer who can report directly to the CEO.
Terry Doherty, CEO of Doherty Associates, believes “every organisation needs board level representation from someone who has the ability to translate the technology into the business risk, value and cost.”
There has been a significant advance in the types of cybersecurity systems on which financial services organisations can spend their money. The major drawback, however, is cybercriminals are hacking their way through solutions just as soon as they are built.
As Doherty says, “Good cybersecurity is a bit like an onion; you need lots of layers.”
Eklove agrees and says financial firms should call on artificial intelligence (AI) and machine learning to build the appropriate layers of security into their systems.
He says, “The best way to defend is to build layers of security. Even if the attacker can break one layer, there is another one to protect. Worst case, it buys more time for the organisation to detect and take preventive actions.”
A major advantage of AI is that it learns from attacks that have been carried out at other organisations or in different countries, and can not only identify when it is happening again but take mitigating action.
Eklove says, “AI-based tools take an action immediately when a threat is detected while keeping admins informed. With AI in the mix, the organisation adopts the principle of being proactive rather than reactive when it comes to cybersecurity.”
Encryption is also an important defensive layer, and while relatively simple to implement appears to be overlooked by financial services firms. The Doherty survey found just 29% of IT decision makers say they have applied encryption to devices and only 18% use data encryption.
Secure data storage is another straight-forward and cost-effective step firms must take if they are to beat the cybercriminals. Accessing the cloud is a step Doherty says all financial firms should be taking, if they are not already. As well as offering huge potential to enhance collaboration and productivity, cloud-based technologies can deliver reliable end-to-end security, as long as firms take all the necessary steps to protect their workers, wherever in the world they may be.
Moving beyond the basics and looking to the next generation of cybersecurity options, James Alliband, security strategist, at tech firm VMWare, says tech solutions will develop that gather data from across the layers of security to further strengthen systems and improve response times.
He points to extended detection and response (XDR) which collects and automatically correlates data across multiple security layers.
“One of the biggest struggles [for cyber security specialists] is alert fatigue. How do we look at the alerts and make any detail from them? They don’t have the time to respond. XDR is one of the biggest areas of machine learning because it helps people respond to threats quickly,” Alliband says.
Alliband says there are many XDR offerings coming to market, but he argues that what is really needed is a single platform that can consume data from all these different places and build context.
Ultimately since the good and bad guys benefit simultaneously from advances in technology, keeping a business safe from malicious cyber-attacks is something of an uphill struggle, but it is one that cannot be side-stepped.
Given financial organisations’ specific vulnerabilities to cybercrime, it is imperative they get ahead of the game and make investment now. Failure to do so could cost us all dear.