Author: Stuart Crawford

Financial service firms: beware. Your data is a target. A new report out of the United Kingdom (UK) cannot underscore enough the severity of the issue. But it is nothing new. The FBI has put the alarms on since 2011, from threats of account takeovers to third-party payment processor breaches to securities and market trading exploitation to mobile banking exploitation and even supply chain infiltration, among other ways. Hackers are more advanced and more prevalent than ever. What is shocking about the new statistics from the Financial Conduct Authority (FCA) is the sheer increase of breaches after the implementation of the General Data Protection Regulation (GDPR). Here’s what to know and what to do.

Alarming Statistics from the FCA

The numbers are alarming and demonstrate a real concern among financial institutions and the protection of their assets and data. The total number of breaches reported by UK financial services firms to the FCA was 145 in 2018, which was up from 25 in 2017. That makes it an increase of 480%.

The breakdown of the 145 reported breaches is shown in the below chart (as provided by the FCA) with the last three years also included — this demonstrates the stark increase in reported breaches over the course of four years.

Why was there a dramatic increase in breaches in 2018?

There are a number of theories why financial services firms in the UK reported 480% more data breaches in 2018 than the previous year. The percentage alone is enough to send warning alarms throughout the work, but do the reasons justify the urgency?

• First, the financial services sector offers a lot of what hackers want: data and money.
• Second, much of the financial services sector has not been using the most advanced technology and artificial intelligence (AI) to protect their information and data, according to a report conducted by Accenture and released in 2018, Cost of Cybercrime: Financial Services. In fact, “only 26% have deployed AI-based security technologies and 31% advanced analytics.”
• Third, hackers themselves are becoming more numerous, bolder, and more sophisticated — alongside the advancement of technology.
• Fourth, the GDPR came into effect in 2018, which requires reporting breaches within 72 hours of discovery — so the increase in the statistics may be — in part — due to a legal requirement to report the breaches.

Thus, the combination of all these things: the financial services’ data, the desire of hackers to obtain that data, the limited protections financial services firms have had in place until recently, and the new requirement to report all play a role in the dramatic increase in reported breaches. So, not all is as bad as it seems. The increase can be in part attributed to the new requirement to report the breaches as opposed to earlier years when such a requirement was not present, and such reporting could be damaging to the reputation of the financial institution — thus, an incentive not to report until it became required.

What can financial services firms do to protect themselves better from hackers and data breaches?

Whether you are in the UK or the United States or elsewhere, financial services firms can protect themselves. It all involves a well-crafted IT plan-of-action that can include any of the below options according to the firm’s needs, wants, and specifications.

Implement and Education & Training Strategy

First thing’s first, you need to educate yourself and your firm on cybersecurity and cyber attacks. You need to know how hackers are hacking into your systems. You need to know what the latest technology is to counter hackers, including AI. You need to be informed on data management and data destruction and disposal. And you need to inform all staff and employees. The problem in data breaches is not only related to hackers hiding in a dark space using malware and other devices and software to obtain access to confidential information, but they use tricks via email and other means to gain access from, for example, unsuspecting and uninformed employees who open emails without thinking twice and who use poor passwords without consideration for how easy they are to be hacked.

An informed company and an informed staff are your first line of business. An internal team can conduct education awareness and training or else a third-party vendor can be hired to do so. It comes down to how large your firm is and what your resources are to manage it.

Assess Your Current Technology & Identify What You Need

You need to assess the current status of your technology, challenges, and vulnerabilities so that you can recognize what you need and where you need it. There are different ways or approaches a firm can take to assess its technology needs, but in general, it should include:

• Gathering information on company and employee needs, considering functional needs, software requirements, technical requirements, and security needs (i.e., natural threats from environmental conditions, intentional human threats (e.g., hackers and disgruntled employees), and unintentional threats (e.g., poor password creation or unintentional leaks).
• Reviewing the information gathered and prioritizing identified needs.
• Document the results from your findings so that you have the information in one accessible location from which you can build a plan.

Acquire the Technology You Need & Implement It

Once you have the information you need, design a multi-layered system that is:

1. Adaptive;
2. Responsive; and
3. Preventative.

Financial services firms can no longer stand to be reactive; too much is at stake. Once you know and prioritize what you need, acquire it and implement it. Research to ensure you purchase the best in technology and/or hire the best third-party vendor (e.g., a managed services firm). The goal here is to bring those statistics back down, or in the least, maintain them.

No matter how good technology gets, technical issues are still and will continue to be a major cause of lost productivity for individuals and companies. Problems with slow or crashed computers, loss of internet service, printers not working, dropped telephone calls, and other annoying little gremlins are costing companies millions of dollars a year, including yours. Whenever your tech isn’t working the way it should, you’re losing revenue and it quickly adds up.

A Sobering Statistic

To get an idea of just how costly all those little glitches are, consider the results of a recent survey by Robert Half Technology. The study found that, on average, workers spend about 22 minutes each day dealing with some type of IT issue. That adds up to an eye-opening 91 hours annually or two weeks of downtime for each employee in your organization.

So think about what that equals in loss of revenue. Some people generate more than others of course. But if you have a professional who’s billing by the hour, for example, or a salesperson who is bringing in say $10,000 per week, and they’re out of commission for two weeks each year, that soon starts to add up to some serious money.

IT issues will always be a fact of life for modern companies to one degree or the other but there is a proven way to keep them to a minimum and reduce their impact on your business operations. It all depends on how well your managed services provider, or your in-house team, addresses your needs and resources.

A Matter Of Strategy And Priorities

A good provider will devote time and resources to two key priorities:

• Optimizing your technology resources, regularly monitoring and testing your system to make sure it’s functioning at its optimal performance, and preventing problems from occurring in the first place, not just reacting when an emergency happens.
• Devising a strategy that implements the type of technology that will best serve your company’s unique and specific needs.

If you have systems and equipment in place that you don’t necessarily need, that’s a drain on your resources and budget and creates more complexity, and thus more opportunities for things to go wrong. If, on the other hand, you don’t have the capabilities you need, efficiency and productivity will be hampered.

An experienced and professional managed services provider will ensure that your organization has the right balance, providing you with the optimum in performance. They will also monitor your system in real time to spot potential problem areas, and to be able to react quickly when they do happen.

Your technology partner should be willing to work with you on a personal basis to devise a plan that will best fit your needs, and they should always be available. If you have a question or an issue, you don’t want to reach an answering machine or service.

It’s easy for a business to get used to minor tech issues and become complacent about them. But the fact is that they’re costing you more money than you know. Finding a good IT partner could be one of the best business decisions you’ll make.

Less than a year ago, the European Union instituted the General Data Protection Regulation (GDPR) to protect customer rights to data privacy.

The regulation created quite a stir in May 2018 when it was enacted, and has recently created even more of a stir because the first fines for non-compliance have been levied. While the EU granted a short amnesty period to allow organizations to comply with the regulation, the fines definitely send a clear signal that the amnesty period is indeed over.

Companies are responsible for implementing GDPR-compliant data policies; complacency about the regulation will surely not win the day. No excuses — comply or be fined; the EU has definitely made good on its promise to staunchly defend citizen rights to privacy.

Thus far, there have been three notable penalties. One of the most visible is, of course, Google, which received a €50 million fine in France, courtesy of French data regulator CNIL (Commission Nationale de L’informatique). Google’s fault according to CNIL is the lack of transparency and unclear consent regarding advertisements.

In particular, Google did not have one clear source of information regarding how data is collected. Instead, the information was interspersed into various documents and websites, creating a nearly impossible task for the end user to be aware of how their personal data is actually being used.

The bottom line is that users must be able to make an informed choice about whether (or not) to consent to Google’s use of their data. The other important factor in the Google fine is that CNIL clearly sent a signal that Google can and will be regulated by every data privacy authority (DPA) within the European Union regarding the GDPR rules. Companies that were just focusing on the data privacy rules in their own country have definitely taken notice.

Google will inevitably appeal CNIL’s decision and organizations around the world are anxiously awaiting said outcome. If CNIL’s decision stands firm, companies will have to make changes in how they conduct similar online platforms. Simply said, the outcome could possibly create a profound change in the relationship between consumer and advertiser.

In Germany, a similar social media platform was fined €20,000 for a breach that compromised personal information like passwords and email addresses from more than 300,000 users. While this fine could have been much worse for the company, many industry experts state that the company was given a much lower penalty for how they handled the breach. The company’s saving grace was a proactive notification of both customers and the German GDPR data protection authorities.

This last example of a GDPR-levied fine definitely brings home the message of the lengths the EU will go to protect their citizens. In this case, an Austrian businessman was fined for placing a camera outside his business. The camera was not clearly identified as a CCTV camera, yet it was recording a public space outside his business.

Since GDPR began, the EU has received nearly 100,000 data privacy complaints from its citizens and over 40,000 data breach notifications from companies. Experts say these numbers are low because they are based on voluntary contributions from only 21 of the 28 EU member countries. The numbers therefore are actually much higher.

So far, the GDPR has reported levying 91 fines, with 60 of those fines levied by the German DPA alone. GDPR definitely changes the compliance risk for organizations across the world. Heftier and more numerous fines are expected to be handed out in 2019 as the EU moves into GDPR with full steam.

The United States was once the trailblazer of the world when it enacted the mandatory data breach notification laws and punishment sanctions for non-compliant businesses. Now, the U.S. Congress is closely following GDPR and may soon enact similar privacy considerations to rein in companies like Google, Facebook and others who offer free products and services at the expense of a user’s personal information. Congress understands that what a consumer discloses today can have far-reaching implications years later, and they are definitely watching the implementation of GDPR as Europe nears its first anniversary of enacting the law.

When you think about it, it makes sense that hackers might target managed services providers (MSPs) — those organizations that are responsible for protecting the data and technology systems for hundreds or even thousands of other organizations. The Department of Homeland Security recently alerted MSPs to the potential activity from hostile actors who were targeting large organizations in a new way. These nation-state hackers were using managed service providers who provide outsourced website management and cloud functions to infiltrate a variety of companies. While any organization can potentially be vulnerable, MSPs often maintain an increased state of alert to ensure that any infiltrations are quickly discovered and remediated before the threat can expand.

How Cybercriminals Are Targeting Their Attacks

Managed service providers often maintain direct and unfettered access to client information, making them a key target for hackers. While perhaps not a daily occurrence, security breaches happen to organizations of all sizes — much more often than business leaders would like to admit. Attacks against a well-defended organization such as a managed services provider take an exceptional level of coordination, often perpetrated by high-powered, international hackers. These organizations often attempt to gain access to an MSP by using malware to steal administrative credentials before tunneling deeper into the infrastructure to gain access to additional machines and software. This business information is then packed out of the platforms, allowing hostile foreign actors to gain access to sensitive personal, financial and business information.

Are Managed Services Providers Safe?

Maintaining a secure infrastructure for your business is core for MSPs, as they have the dedicated and knowledgeable staff focused on protecting client and business information. While a compromise within a service provider can spread quickly if it is unnoticed, the active reporting and review by security professionals is likely to catch any infiltration before it becomes widespread. One of the key ways that managed services providers are being attacked is through APTs, or Advanced Persistent Threat malware. These sneaky programs are designed to gain deep access before they are noticed, but managed service providers have programs that trigger alerts for review by human security professionals to maintain a high level of security for your business at all times.

Maintaining adequate security measures as well as advanced backup and recovery mechanisms is one of the best ways to thwart these hackers before they are able to negatively impact your business or your customers. Local and cloud-based backup procedures, as well as proactive and quick recovery strategies, can mean the difference between losing access to your information for days or even weeks and being able to quickly restore full operations to your business.