The financial services industry is a juicy target for cyber criminals, because of the enticing balance of risk versus reward and the fast evolution of technology – both corporate and consumer – which presents a smorgasbord of new potential vulnerabilities.

Cyber security is a priority, then, evidenced by growing IT budgets and the battle to recruit experts capable of battling bad actors in a mutating threat landscape. What presents best practice in this area, and how can we ensure businesses are protected?

“While we often read about manufacturing or industry being targeted, the financial services sector can actually be considered the ‘most at risk’ or targeted by groups around the world, quite simply because it’s the quickest route to a payday,” says Ric Longenecker, Chief Information Security Officer at Open Systems.

“Unfortunately, it is almost impossible to completely secure data until we have implementations of homomorphic encryption,” adds Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University. “Cybercriminal’s tactics are always evolving, so it’s really up to the owners of the data to secure it.”

In other words, FS businesses are a tempting target and there’s no practical well to completely protect your business, so what can you do?

Getting the basics right is fundamental, and that starts with understanding both the attack surface and any vulnerabilities criminals will likely prioritise within your organisation, along its supply chain and even the customer base.

Hybrid working structures, for example, present new complexities. In 2020, at the start of the Covid-19 pandemic and with lockdowns in full swing, 44% of financial services organisations experienced cyber-attacks, according to Akamai Technologies.

Denial of service attacks increased 110% the same year, with a general growth in online targeting climbing 62%, with Akamai spotting a total of 736,071,428 web-based raids on businesses in this sector alone.

The fight back

Shielding any organisation from such an onslaught is no mean feat, but your defences should incorporate three general parts: people, technology, and planning. Recruiting cyber talent is obvious, if challenging, but perhaps less so is the equally critical need to train non-tech staff to mitigate, identify and respond to threats.

“Cybersecurity is not the sole responsibility of the security team,” says Richard Meeus, Director of Security Technology and Strategy EMEA, at Akamai. “Companies are vulnerable due to a mix of outdated technology, “good enough” defence strategies focused solely on perimeters and endpoints, lack of company-wide training and awareness, and poor security etiquette.”

Coaching people on the risks of cybercrime, with regular refreshers, helps to bolster your defences, something which is particularly useful when hiring top security professionals is getting harder.

Trellix found that 85% of cybersecurity professionals globally believe workforce shortages are impacting their organisation’s ability to secure complex information systems and networks.

“[It’s] a potentially deadly notion in the current climate,” says the organisations VP EMEA Fabien Rech. “IT teams are under increasing pressure and under-resourced. Moving from the uptick in threats during the Covid period to responding to the crisis in Ukraine has left cybersecurity professionals fatigued, increasing the chances of a serious threat slipping through the net.”

Alongside competent, aware, and skilled people, new technology provides an important layer of protection. Like car thieves, cyber criminals most often zero in on soft targets, meaning making your business hard to break down could be enough.

Richard Meeus Akamai says there are a few solid options here: “Organisations can reduce the attack surface by ensuring that staff use FIDO2 Multi-Factor Authentication [passwordless solutions, such as fingerprint login] whenever possible and by regularly running phishing awareness campaigns.

“Layered defences and segmentation make web attacks costly for opportunistic attackers and acts as a compelling deterrent. MFA is a key tool in Zero Trust Network Access, a strategy that limits and controls access, enforces continuous authentication and authorization, and layers defences so that incident detection is as quick as possible.”

Investing in modern, powerful detection tools to catch an unfolding ransomware attack, clear data visibility and segmentation, as well as deception tools including honeypots, will buy precious time in the event of an attack, he adds.

But for good people and good tech to work seamlessly, you need a plan encompassing prevention, identification, and response. Experts acknowledge that no organisation is airtight and that IT teams should think in terms of when, and not if, an attack will occur.

“It’s key that while an organisation is staffed well with compliance folks, that operational or ‘practical’ security, compounded by reasonably funded IT services and outsourcing remains a strong and well-understood consideration,” says Ric Longenecker, Chief Information Security Officer at Open Systems.

“In the end, compliance is supported by good technical management and principles - and is what keeps an organisation afloat when under attack.”

A plan should incorporate all these factors, while negotiating the tricky balancing act of keeping people safe while allowing business as usual.

According to Trellix’s Fabien Rech: “To mitigate ever-evolving threats, financial organisations must implement a living security strategy, turning the once static shield to an adaptable one.

“Extended detection and response can provide businesses with a holistic ecosystem that consolidates all security products into an interconnected, constantly communicating platform that’s always learning and adapting to new threats. As a result, they can stay one step ahead of adversaries, adapt to new threats, and accelerate detection and correction through the entire defence lifecycle.”

The problem of cybercrime is not completely solvable, but businesses that combine a sophisticated and adaptive combination of relevant technology, protocols and teams will swerve many of the traps others fall into.