How has the Covid-19 crisis changed how financial services should think about cybersecurity?

The pandemic has forced financial services firms to reconsider their digital defences or risk falling victim to cyber attacks. 

Covid-19 has changed how people work around the world. Businesses have had to embrace remote working to limit the spread of the contagion and to comply with the social distancing restrictions put in place by their lawmakers. However, companies are not the only ones that have changed their tack.

Cyber criminals have used the pandemic to double down on the number hack attacks, frauds and phishing scams initiated. Early on during the health crisis, hackers tried to steel people’s credit card details by using digital maps and dashboards showing the spread of the coronavirus outbreak. Other digital assaults include a jump in disinformation attacks, mobile phone phishing scams, financial fraud and ransomware attacks. The digital threat posed by bad actors is clearly on the rise.

Of course, financial institutions are no strangers to cybersecurity issues, but the pandemic has forced firms to beef up their digital defences to also cover a remote work force. This is considerably more difficult as working from home have left these tteams unable to access the cybersecurity infrastructure they’d enjoyed in the office.

“The Covid-19 crisis caught a number of firms unprepared to have their entire teams working from home on personal or firm laptops lacking adequate monitoring and security capabilities,” says E.J. Yerzak, director of the cyber IT group at Compliance Solutions Strategies (CSS), the RegTech company.

Yerzak tells RegTech Analyst that many of these firms have rolled out flexible working options over the years. “Unfortunately, a number of financial firms are now waking up to the reality that they did not have reasonable controls to safeguard corporate data flowing through new and alternate communications channels at the firm,” he says.

The sentiment echoes that of cybersecurity company Bitdefender which recently polled 6,000 infosec professionals from around the world, revealing that 50% had no plans in place for a scenario like the coronavirus.

“Financial firms’ current visibility into the impact of their cyber risks is now murky at best,” Yerzak says, warning that while several firms have rolled out quick solutions to cater to their remote workforce, this could leave “some new doors open to data exposure.”

While the infrastructure may be lacking, remote working has exacerbated the biggest risk to companies digital safekeeping – their employees. Remember that when Infosys polled 867 senior executives they found that 84% of these top dogs may have been worried about hack attacks, but that 76% were also concerned about low cybersecurity awareness among its employees.

Not understanding the threat could leave staff members more at risk of making a mistake that compromises the safety of the company’s infrastructure. “They’re not malicious and they’re not looking for personal gain – so they’re often seen to pose less of a threat to sensitive data, if firms have been able to quantify this risk at all,” says Tony Pepper, CEO of Egress, the data security company.

“Yet according to the Information Commissioner’s Officer, this group of insiders is your top security risk in 2020. And in particular, misdirected emails are the number one cause of security incidents – resulting in 20% more incidents [of] phishing.”

Given the risk posed by employees failing to follow safety procedures, it’s concerning that a survey of 2,000 US professionals conducted by IBM Security found that 80% had never or rarely worked from home and 45% said they had received zero training to do so securely. Moreover, 42% said that they did not know how to protect confidential data at home.

“Firms [must] examine existing training regimes to ensure they address the unique risks of remote work,” says Marc Gilman, general counsel and VP of compliance at Theta Lake, the company providing services making collaboration tools like Microsoft Teams and Zoom compliant with legislations and cyber secure. “Threat actors have developed new methods for launching social engineering and cybersecurity attacks, so security awareness training and phish testing must be refreshed to account for these evolving techniques.”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.