SimCorp Blog

Thought leadership

Cyber-security: threats from within an organization are just as real

Cyber-crime has grown thick and fast into a lucrative business these past few years, and cyber-criminals are going to continue finding sophisticated ways to breach the security perimeter of organizations.

Cyber-security continues to be a key buzzword making headlines on a daily basis. Hardly a day goes by without news that a company has been hacked or that the private data of x-thousands clients of a company have been published online. But what about the potential dangers to cybercrime in the global financial world. What can and should be done against it? And most importantly, are enterprise networks in Europe safe?

People as the biggest weakness to any cyber security program

By definition, companies within the financial sector are high profile targets for cybercriminals, APT groups and hacktivists. It is therefore important that any cyber security program should effectively look at mitigating both internal and external threats to the organization. Insiders – including employees, partners and contractors – pose a significant risk to financial institutions as they are already within the security perimeter of the organization. Negligence or a malicious insider could potentially compromise the corporate security perimeter which could lead to exfiltration of sensitive information.

While broader media outlets will focus on just the breach of the security parameter of a company, the specialists will look into detail to identify, and differentiate the various threats. Assets (of an organization) are the people, the information and other tangible and intangible items which belong to an organization. All organizations thrive to protect their assets. The vulnerability is any weakness or gap within the security efforts which can become exploitable by threats or threat actors. Threats are considered anything which can exploit the vulnerability either intentionally or unintentionally and cause damage to the assets. Finally, the risk is the probability of loss or damage to the asset as a result of threat exploiting the vulnerability. Thus, assets are what an organization wants to protect, threat is what they are trying to protect themselves against, vulnerability is the weakness within the protection efforts, and risk is the meeting point of threat, vulnerability and asset.

So what should the guardians of the digital environment focus on?

Cyber security professionals should have a good understanding of the dynamic nature of the cyber threat landscape, whilst knowing the assets they are trying to protect against these threats. In general, there are only limited funds available for a cyber-security program within an organization, so a pragmatic approach needs to be taken against the sophisticated threats we currently face.

How big is this risk for the financial services sector? And what does it mean for other sectors? Statistics from independent reports (like the Verizon 2017 Data Breach Investigation Report), state that 24% of breaches took place in the financial services sector, followed by other industries like health care organizations, public sector and retail industries. Data breaches and losses are a big risk to all industries and organizations should work together jointly in more resilient security programs to help protect against ever growing threats and attacks. Some of the cyber challenges currently facing the wealth management industry are compromised trusted insiders with privilege access to confidential data, malicious insiders, compromising elements of the supply chain including trusted partners, and third-party components and compromising customers themselves in order to gain access to valuable information.

Does this state of facts then add importance to the in-house strategizing for mitigating cyber security risks within the financial services sector? Cyber risk is the highest risk which most industries, including the financial services industry, face. To fight against the cyber threats, it is important to have a structured strategy which embeds a recognized cyber security framework like NIST, which not only looks at identifying, detecting and protecting the assets, but – in case the defenses are breached – offers a systematic approach in remediating and recovering quickly against a complex attack.

Needless to say, the challenges the financial institutions face in developing resilience technology versus fintech disruptors are sizeable. The budgets available to the cyber security program are always going to be limited when compared to the funding available to the cybercrime industry. Thus we are always going to fight against a sophisticated threat which is well funded and growing dynamically. It is key to invest pragmatically and to share threat intelligence within the financial sector and wider community to be able to develop a secure community.

Cyber-threats are growing exponentially. As the digital footprint of organizations grow, they will be exposed to more threats. So institutions should look into embedding security into their business model to fight effectively and efficiently against the growing threat landscape. Traditionally organizations have previously assumed threats to be external. So most security programs are rather weak against the insider threats and should start looking into boundary-less security model. It is hard to say exactly, but despite the many investments made, my gut feeling is that the maturity in these matters is still quite low. On a scale of 1 to 10, I’d say the level of the average cyber-security effectiveness of any organization in Europe stands at a low 4.

What more can be done by international networks to protect themselves?

Data should be the center of any mitigation control and data centric security models will effectively mitigate against any breaches to the networks. Cybercriminals are looking to get into the networks with the primary reason of exfiltrating data. Also, consideration should be given to mitigate against lateral movement of unauthorized access within the networks. It is important for an organization to understand the cyber risk they face. There has been increased focus from both regulators and clients. Management should support appropriate funding of the cyber-security program and security has to be embedded into the life cycle of the key assets of the organization.