By Allen Jones
It is in the headlines on an almost daily basis, but still many financial services businesses, of all sizes, operate in a ‘I hope it won’t happen to me mode.’ This should never be the case and the importance of:
Highly effective IT with excellent security and great security service should never be underestimated.
To put this in context, in a recent speech in London, the UK’s financial services regulator, the Financial Conduct Authority (FCA) recognised that it sees “no end in sight” to the accelerating increase in IT failures and cyber attacks on the financial services sector.
The level of disruption when there is an IT breach of failure should never be underestimated. A way I try and bring this to life when talking with clients or potential clients is to use examples IT failures to which most can relate. This means occasions such as when internet access is down for a whole hour and here is no email access; or when a mobile phone is misplaced for a couple of hours.
Most people can re-count such IT stresses recognising the temporary inconvenience, panic and disruption such instances cause. The problem with a cyber attack is that it is considerably less temporary and can create multiple problems; bringing a business to a halt for an extended time period and creating all manner of unwanted reputational, financial and potentially legal issues.
According to the FCA, in the UK, there had been a 138% increase in technology outages in the year to October and an 18% increase in cyber incidents. Their observation was that; “all the trends that we’re seeing at the moment suggest an increasing threat to UK customers, and financial markets, from technology outages and cyber attacks.”
Regardless of scale, financial services businesses need to review their IT security procedures (physical and digital), their back-up and contingency plans, resources and insurances.
Central to this has to be the support available from technology providers and/or hosting partners. As a minimum, this should extend to details of the security ‘baked-in’ to the technology (or not!), an assessment of the security risks for any plug-in technology and the back-up and support available should an IT security breach occur. For those seeking the ultimate peace of mind, SO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving information under the principles of confidentiality, integrity and availability. Yet, even then, that peace of mind is no excuse for not maintaining the good discipline of regular security checks.
It is a step that the FCA made very clear when they pointed out; “The true test of the resilience of UK finance is not the absence of incidents, it’s how well incidents are managed.” Sadly, they also noted that a third of firms the FCA surveyed did not carry out regular cyber assessments while nearly half of firms do not upgrade or retire old IT systems in time.
An option worthy of consideration for financial service providers is cyber security certification. As well as reassuring the business internally, certification can be a great way of reassuring customers that you take IT security seriously. In the UK, the government offer a useful site to help guide organisations to certification – https://www.cyberessentials.ncsc.gov.uk/getting-certified/
Having acted as a conscience, I’m pleased to say that we can also provide some practical help. Supporting our clients with their cyber assessments is part of our consulting approach; after all, we want our clients to be confident when getting the massive competitive edge that web-based software provides that they are minimising the security risks.
As I write this, I note that O2 have suffered from an outage impacting some 25 million people, due to what they report is a software issue identified by a third-party supplier. It seems a timely way to conclude that there is a value to high-quality security and associated audit and checking controls; no business can be absolutely immune from a breach, but they can work to minimise the risks. Better to discover any issues now before it’s too late.