The scale and evolution of cyber-attacks in the financial services industry need differential protection.. We need the expertise within all levels of the team, along with the blend of process and technology within the organization – Chairman of a leading Financial Services Capital Markets Entity.
The question is not ‘if’ your organisation will be breached, or even when. It has already happened. The real questions are: is your organization aware of it, and how well are you protected for the future?
In today’s cyber landscape, it is just not possible to prevent all attacks or breaches. Cyber criminals have significant funding, or have access to cheap technology capability. They are patient and sophisticated and target vulnerabilities across an organization.
A number of us woke to newspaper headlines this week that two Indian organisations have paid up a few million dollars to cyber extortion calls. Apparently, one of those had a compromised email system for years. It was also reported that two banks were hacked / compromised but never reported it to authorities. My experiences suggest that a large number organisations are under attack but are unaware, either due to the incapability to detect, or the sophistication of the attack they are facing.
I must submit that cybercrime is becoming big business and threat actors are far more serious and often, have differing motivations ranging from deriving financial benefits to disrupting business.
Cyber criminals are increasingly running their operations similar to a legitimate business (including guaranteed SLAs!), albeit with much less ethical consideration. They can convert stolen data into cash or cash equivalent benefits, leading to lost sales, strategic partner hijacking, counterfeit products, patent infringement, negotiation advantage and so forth.
A new breed of state-sponsored espionage threat actors are more likely to be very well organized and industrialized, with vast resources at their disposal. They seek to improve the strategic capabilities of their host nation sponsor by providing them with a range of information, which can lead to long-term strategic gains. The scariest part is that these attacks could be so evolved that they might not be detected until it is far too late.
It is no longer one-off attacks but it is about sustainable compromise for significant gains.
The cyber threat landscape is much more complex than many other risk areas. There are a number of outstanding questions around risk, exposure, costs and levels of protection. Answers to these questions are extremely important to manage an organisation’s cyber focus:
- Do you know what you have that others want?
- Do you know how your business plans could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and if the assets have been compromised?
- Do you have a plan to react to an attack and minimise the harm caused?
Often times, the Board of Directors, Risk Committees, and senior management are not spending enough time on this threat. The basic questions above will help you focus your efforts help you prioritise your actions.
Take a look at Cybersecurity system building blocks
For more Follow us @EY_India