Cyber Security – How Protected Are You?
Thu May 28 2020
The advancement of IT is changing the way business is conducted in the financial services industry. IT is now a key enabler of a firm’s business strategy and is no longer simply a support function. In parallel, cyber-attacks on businesses are increasing in frequency, scale and impact, and becoming more sophisticated and persistent. As a result, there is a heightened risk when it comes to IT systems failure and cyber ‘trigger events’ e.g. data theft or destruction.
Add to that, the recent COVID-19 situation which has suddenly presented IT personnel, businesses and other users with a set of cyber security challenges that, whilst not unique, are being experienced on a significantly larger scale than ever before.
Criminals have been matching their scams to the news. Malware detections rocketed during the week that saw the first reports of COVID-19 infections in the UK, Italy and Spain. Additionally, In the week from 24 March, when the UK and Australia locked down, a spoofed World Health Organisation “Safety COVID-19 Awareness” email did the rounds, appearing far more professional, than previous efforts.
Impersonation has been steadily increasing for some time and has accelerated since the outbreak. Much of the increase undoubtedly reflects the increased opportunity presented by current circumstances, with isolated employees and the potential lack of suitably robust verification processes, which criminals will hope to heavily exploit under the present lockdown measures in many countries.
The key threats to organisations during the response to COVID-19 stem from Phishing, Social, Engineering and Remote Access Threat. These are not new threats, but with large numbers of staff working from home, there may be additional vulnerabilities where existing IT security services do not extend to remote devices, and where remote working was implemented under time pressure.
Many of the emails that get through security protections are C0VID19 lures. As mentioned above, one example is the email scam which falsely claimed to have originated at the World Health Organisation which asked recipients to click on a link to access safety measures regarding the spreading of coronavirus. When the link was clicked it activated malware to infect devices.
According to the National Cyber Security Centre, the following should be considered when processing emails in the current climate:
- Many phishing emails have poor grammar, punctuation and spelling – Ensure employees are aware of this type of threat and how to avoid it;
- Always check email addresses carefully, particularly if there are any financial implications to requested actions;
- Be wary of any emails referencing Coronavirus from an unrecognised source – Criminals will use the fear and uncertainty surrounding Coronavirus to scam users;
- Manually type in URLs to sites you want to visit rather than clicking on links; and
- Verify the mail – Do not contact the supplier of the invoice through links or the phone number supplied within the mail. Do not reply directly to the email. Contact a known supplier through pre-existing channels.
Examples of Fraudulent Practices
Whether as a business user, or a social user, users should familiarise themselves with the methods criminals are adapting to scam and exploit vulnerable businesses and people. The following is a short-list of some fraudulent practices:
- Phishing – Emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers;
- Smishing – SMS Phishing;
- Vishing – Phone Call/Voice Message Phishing;
- Social Engineering and Business Email Compromise (BEC) – the targeting of employees (purporting to be from their employers) to transfer money to another account;
- Remote Access Trojans (RAT) – a malware program that includes a back door for administrative control over the target computer.
Steps That Can Be Taken
- Keep anti-virus software up to date and maintain caution when opening attachments from unknown or unsolicited emails.
- Carry out regular scans for malware and spyware.
- Use a VPN (Virtual Private Network) to securely access your office database. This is a network that allows remote users to securely access office IT resources, such as email and the firm’s network. Contact your IT support service for more information.
- If working without a VPN, back up your data in a secure offline manner.
- Take inventory of which employees require full access to your entire office network and ensure that full access is not through personal devices.
- Consider logging into your office IT system using Multi-Factor Authentication. This can include biometric reader, a unique login code sent by text or the use of an USB stick as an access key. This is particularly relevant where allowing a personal device to connect to the network. Using personal devices as work devices increases the exposure to successful attacks.
- Consider restricting use of personal devices to email and cloud services and issue the device with a license for the same anti-malware available in the office. In addition, consider limiting the ability to download and copy data to that device.
- Consider enabling Bitlocker [if the computer is Windows] so that if a device is stolen the data therein cannot be accessed.
- Only connect via a secure private Wi-Fi connection.
- Set all virtual meetings to private, with password-only access.
- Ensure that laptops are encrypted, and systems installed to track and delete data from tablets and phones if they are lost or stolen.
Members should consider taking out Cyber Cover. Cyber insurance generally covers a firm’s liability for a data breach involving Cyber-attacks.
Some cybercriminals want to steal data so that they can hold it for ransom. This type of attack is a ransomware attack. Others will sell the data on the dark web to someone who will in turn, exploit the data for profit.
Members should ensure that their IT security measures provide a level of security appropriate to the harm that might result from unauthorised access to the data they process.
The large increase in the quantity of data being processed remotely gives rise to data protection challenges for any business. Firms should conduct a review on how and where the data is processed and stored by their staff, to ensure that all personal data (staff personal data as well as client personal data) continues to be processed in line with Data Protection legislation. Click here for more information.
Cyber Security Info & Resources
Brokers Ireland is working on sourcing an arrangement with an IT security firm similar to what was agreed three years ago for members. We will have more information on this in the days to come.
Meanwhile, we have included a link to the Financial Broker Guide to Information Technology and Cybersecurity Risk which was developed three years ago, and will be very valid today.
For official government cyber security updates see the National Cyber Security Centre Resources:
- https://www.ncsc.gov.ie/pdfs/WFH-Advisory.pdf (Working from Home Advice)
- https://www.ncsc.gov.ie/news/ (NCSC Weekly Security Updates)
- Keep up to date on Twitter – @ncsc_gov_ie
If you have any issues with any compliance matter please email Brokers Ireland at firstname.lastname@example.org
This document and information contained within is intended by Brokers Ireland as a general aid to Members. It is not intended to be relied upon as constituting legal advice to Members on how they are to discharge their professional obligations. Should Members have queries relating to their professional obligations and how these might be discharged, specific legal advice should be taken.