‘Security has traditionally been sold on a powerful combination of fear, uncertainty and doubt. With cyber security, that is no longer the case: the simple truth is so scary that there is no need to go over the top, and the emphasis today is on education, rather than exaggeration.’
—Alastair Paterson, Digital Shadows CEO
The UK wealth management industry has a complacency problem. A GlobalData report suggested that only 31% of UK-based providers believe their clients to be increasingly concerned about data breaches (compared to 60% of providers world-wide) and 20% are not worried about the impact of a breach on their reputation (compared to 8% world-wide).
There is some evidence that this is changing. Whilst a 2017 KPMG report found that only 39% of asset management CEOs surveyed believed they were fully prepared for a cyber attack, an early 2018 survey found that 50% had plans to increase cybersecurity expenditure that year. However, increasing budgets is only part of the solution—firms also have to understand the types of threats they face and how to most effectively counter them.
Wealth management firms have traditionally exposed less of their business systems to the Internet than other financial sector firms such as banking, which may explain the slow adoption of necessary cyber security controls. However, the size of the attack surface you offer to an attacker doesn’t matter if they can find a way in. In order to verify that your publicly-accessible services are secure, scheduling regular (e.g. quarterly, annual, etc.) penetration tests—in which a qualified tester acts out the role of an attacker in order to identify any vulnerabilities in your systems before writing up their findings in an actionable report—is vital.
This is only the tip of the iceberg. As supply chains extend and more third-party suppliers are required to deliver more complex services, the risk to your firm increases. A committed attacker who finds no way into their initial target will not stop there, but will attempt to find the weakest link in their supply chain and exploit them in order to gain access, as we saw in the 2017 NotPetya attack in which attackers compromised the developers of a popular piece of accounting software used in a number of major multinationals.
Finally, the most common cause of a breach is, and will likely always be, human error. Phishing, where attackers try to trick a target’s employees into performing specific actions (e.g. clicking a malicious link) through mass spoof email campaigns, has been supplanted by spear phishing, where attackers tailor their attacks to specific employees in order to increase their success rate. This has even developed into whaling, or CEO fraud, where the highest-level employees are targeted.
Protection against these sorts of attacks requires educating both your employees and, potentially, clients. Mitigate provide a range of training services through our Educate range, as well as Mitigate, the complete internal cyber security solution that provides GCHQ-certified e-learning, assessments and real-time risk-tracking stats across your entire business.