Cyber crime is rampant. The Financial Conduct Authority has just revealed that in 2018 cyber incidents in the UK financial sector grew by over 1,000% compared to the previous year. What was behind that incredible spike? Let’s take a look.
Is GDPR causing an increase in reports?
The General Data Protection Regulation came into force across the EU in May 2018. While the regulation is aimed at protecting the personal data of individuals, in the short term it has caused a major spike in the reporting of cyber crime.
The reason for this spike is that the GDPR requires companies to report all incidents where personal data could have been exposed. Companies have to make these reports to their respective regulatory body - the Information Commissioner’s Office in the UK - within 72 hours of the breach, or risk serious financial penalties.
Companies may have previously been hesitant to reveal that they had been targeted by breaches - or the extent of damage caused. With the GDPR now in effect, however, companies can no longer hide incidents, and we can see the full scale of cyber crime.
Cyber criminals are targeting valuable data
Cyber criminals are getting smarter. As more and more companies are taking steps to protect themselves from attacks and breaches, criminals know that they need to focus their efforts on the most attractive targets.
While almost any company will control data that is of use to cyber criminals - even things like email addresses can be sold on the dark web - the type of data handled by the financial industry is highly lucrative to any cyber offender.
Information about bank and investment accounts, payment details and other financial transactions and documents are worth a lot on the dark web. They can also be used to extort companies and individuals, with payment being asked in return for keeping the documents private.
"Financial services have a higher average cost of cyber crime than any other industry" - Accenture
The rise of Malware-as-a-Service
One of the driving causes of the rise in cyber crime is the service model. Just as the IT industry is seeing a transformation with Software-as-a-Service becoming the new model for software vendors, the criminal world is not far behind.
Creators of malware realise that they can only possibly take advantage of a very limited set of opportunities that their software allows for. It takes time to find lucrative targets and breach them - but by taking advantage of the service model criminal developers can close this gap.
Malware, botnets and information about software vulnerabilities can all be purchased on the dark web. Vendors of malware work with their customers and constantly develop new variants to allow their clients to go after new targets - all while limiting their own exposure.
A budding cyber criminal no longer needs to have any experience with software development or skill in finding vulnerabilities - they can simply buy their desired malware solutions right off the rack on the dark web marketplace. It’s no wonder that cyber crime is growing at an explosive rate.
Increasingly sophisticated phishing scams
Financial services are highly vulnerable to social engineering scams. As companies in the finance industry often handle large transactions and have offices and partners across the world, there is a lucrative opportunity for cyber criminals to breach communications.
CEO Fraud, a form of Business Email Compromise, is one of the most dangerous phishing scams. A cyber criminal poses as a CEO and sends an email to an employee, asking for a payment to be made urgently. As the employee believes the email to be from their superior, they make the payment - handing over the funds directly to the criminal.
How do I stop my business from becoming one of the victims?
The bad news is that there is no definitive solution to ensuring that your business does not become one of the many victims of cyber crime. Every technical solution contains a vulnerability that will sooner or later be exposed.
There is, on the other hand, a lot you can do to significantly reduce the risk of your business falling victim to an attack. While anti-virus and threat detection software can catch incoming attacks, the major cause of breaches remains human error.
Mitigation of human error can be done by reducing the exposure of each employee to confidential information by correct application of access controls, and by training employees on the risks with a security awareness programme. This will not only reduce the risk of your employees exposing your business - but will empower them to actively look out for threats.
Learn how usecure helps the finance sector drive secure user behaviour with intelligently-automated security awareness training.