by Guest Blogger, Shaab Al-baghdadi. F. IoD. Member of IAPP, Head of Strategic Relationships and Channel at Blackfoot UK Ltd.
Views expressed in this post are original thoughts posted by Shaab Al-baghdadi. These views are his own and in no way do they represent the views of the company.
It would be surprising if all CFO’s and CTO’s didn’t realise the need for appropriate security within their organisations. A loss of data can bring about reputational damage, direct financial loss, fines from regulatory bodies, large legal fees, an inability to trade whilst under investigation and now, class actions from individuals.
Companies in the FIS vertical form a strategic part of the economic infrastructure and, as such, are not just potential targets from cyber criminals but also cyber-terrorists, hacktivists and aggressive foreign states. The threat of attack is constant and ferocious, as can be seen from this real time map of cyber attacks from around the world: http://map.norsecorp.com/
Attacks can take many forms, most with the objective of obtaining information that can be manipulated for financial gain. Phishing is the use of e-mails in order to obtain usernames, passwords and other information that can be used against an organisation. This form of attack has increased since 2011. The reason? – they are the path of least resistance for criminals, added to this the many ways a criminal can identify individuals within an organisation, LinkedIn, Facebook, Twitter etc. We have all had the rogue spam e-mail asking for “help with releasing a large amount of funds in an overseas bank” but this targeted attack, known as “spear phishing” is much more sophisticated and normally takes the form of a campaign rather then a single attempt.
The statistics speak for themselves.
A campaign of 10 e-mails has a 90% chance that at least 1 person will become a victim,
23% of recipients now open phishing messages and 11% click on the link. Nearly 50% click on the phishing link in the first hour, 60% of UK office workers receive a phishing e-mail every day and in a recent survey 80% of participants failed to detect 1 out of 7 phishing e-mails. (visit our previous blog ‘Phishing – Are you Ready to be Caught Out‘ for more information.)
What does this mean for your organisation?
A security breach for any organisation can be disastrous, however, for financial institutions a data breach presents some unique challenges. Clients are interested in performance and return, however, the associated damage to reputation and integrity can in many cases be long term and have a very real impact on client retention and acquisition. When a data breach is successful, clients are aware that criminals will use methods to extract their credentials. If an organisation can demonstrate a policy of security measures, this helps with the fallout and adverse media coverage as well as negotiations and reporting to the FCA and ICO. What is less forgivable is if the breach was caused by employee negligence or naivety. Over the last two years more than two thirds of incidents that compromise the cyber espionage pattern have featured phishing. Employees are targeted because the process cannot be automated. If phishing emails are the gun, then employees may unwittingly be pulling the trigger!
What do you need to do?
Education and staff training is the key to minimising the threat. This is not just a technology issue, employees have to become aware of the threat and recognise the issue and the impact to the business and themselves.
Understanding the problem internally is the first step, followed by implementing a strategy to improve awareness and, finally, monitoring the improvements. Carrying out a simulated phishing attack to ascertain the scale of the problem, implementing an education program that has minimal impact on the businesses day-to-day function, but delivers maximum return, should be started immediately. Network Utilities, in association with Blackfoot can arrange for a simulated phishing attack and report on the findings, as well as discussing options for staff education and would be more than happy to discuss this with you.
For more information and to discuss a free trial contact:
Anthony Mortimer, Business Development Manager, Network Utilities (Systems) Ltd.
020 8783 3800