%20(76).png)
Highlights from our April 2 webcast…
The challenge in a nutshell…
We need all to ensure that we do everything that we can to protect ourselves in an increasingly uncertain and ubiquitously connected 24/7 world where we are challenged by so many vectors:
- Traditional threats such as viruses and malware
- Denial-of-service attacks that can bring down the ability to maintain operations, or website defacements
- Social engineering and phishing where calls, emails or other communications play on human gullibility e.g. to discover passwords or credentials
- Session hijacking and deepfakes where intruders target private meetings or information exchanges by posing as staff or others with approved credentials
- The ‘dark web’ acting as a huge clearing house for hacking tools, credentials and stolen data
- Ransomware, where demands are made using the threat of stopped operations or other actions, and even nation state-sponsored attacks.
Scary risks…
Results can include loss of data and intellectual property, damaged reputation, fines and more. Leaders of building societies and their IT teams need to do everything they can to maintain order but that’s hard to do in an affordable manner as threats morph and increase, and as AI threatens to create new waves of attacks at scale.
The specific challenge for building societies
Building societies are particularly challenged because:
- They are attractive as financial institutions with substantial ingress and egress flows of money
- They may not have the budgets for sophisticated internal teams and tools
- They operate largely on a 9-5 response basis whereas attacks are 365x24 hours
- They depend heavily on positive brand associations and trust
- They will often have customers that are vulnerable and not sophisticated consumers of technology
- They have a sizeable compliance and legal burden
Why things are tough
Although it’s tempting to keep defences 'behind the corporate firewall’, it’s difficult to combat security threats using purely internal defences. Experts are hard to recruit and keep, tools are pricey too and the threatscape changes constantly, meaning defences must be rethought and renewed regularly.
Boards must take IT risk seriously
IT leaders need to translate technical issues and company leaders need to listen and act accordingly, releasing budget as appropriate. Unfortunately, standards and rules that act as the equivalent of GAAP in accounting are not always readily available. Today, boards are confused by IT threats, so IT needs to speak a language business leaders understand, outlining threats, likely actions and impacts.
From detection to true cyber resilience
The discussion distinguished between:
- Traditional security (detect and respond): reacting to incidents
- Cyber resilience: ensuring the organisation can continue operating during and after an attack
Resilience requires:
- Continuous monitoring and threat hunting
- Backup systems and recovery plans
- Scenario planning and board-level involvement
- Clear understanding of critical data and business processes
The managed service provider offer
Managed service providers can help building societies by outsourcing defence to a third-party specialists offering smart people, state-of-the-art tools and infrastructure, and affordable, value-based tariffs. By using an MSP, building societies can keep an auditable set of metrics to appease regulators and be confident of their ability to trade securely. By tapping into the power of MSP cloud platforms and managed detection and response (MDR) platforms, customers can be assured of constant threat monitoring, automatically generated reports and affordable oversight. They also gain access to trusted advisors who can talk them through risks and manage the challenge.
Conclusion
Cyber threats are growing in scale, speed, and sophistication, making traditional approaches insufficient. Organisations must move beyond reactive security to a resilience-based mindset, combining technology, processes, and people.
Success depends on:
- Better board-level understanding
- Continuous monitoring and rapid response capabilities
- Strong governance and risk management
- Proactive planning for worst-case scenarios