Financial services organisations provide attractive targets for the world’s fast-growing cybercrime industry because they have valuable data and, often, inadequate protection. Frances Russell, CEO of Australian managed security and services provider FooForce, explains how financial services organisations can protect themselves.
Cybercrime is one of the fastest growing industries worldwide. The global cost of cybercrime will be US$10.5 trillion annually by 2025, Forbes magazine estimates. Cybercrime revenues only slightly trails the total revenue of the Fortune 500 companies (US$14.2 trillion).
The Australian Institute of Criminology (AIC) published its cost of pure cybercrime report in July 2021. It estimated that more than 50% of Australian businesses have been victims of cybercrime in the past year.
The prime targets are businesses with the most sensitive data and are most vulnerable to reputation damage.
Financial services organisations – including stockbrokers and financial advisers – are in the bullseye. Small and mid-sized businesses are lucrative targets – more so than large businesses. Why? There are many more of them and they tend not to have dedicated security expertise in-house or on-hand.
Broadly, the responsibilities are onerous and three-fold:
- the technical task of putting the right equipment and policies in place
- responsibility to train staff, and
- significant tasks involved in complying with client requirements, regulatory body requirements and legislation.
The job is large and needs actual expertise. And remember, as an APRA-regulated entity, the responsibility lies with your Board.
As a small to medium enterprise in a vulnerable sector, it is easy to either feel overwhelmed or worse, stick your head in the sand and hope a cyberattack won’t happen to you.
The good news is there are simple steps you can take.
Accredited and reputable Managed Service and Security Providers can deliver the data security services that small and medium organisations in the stockbrokers and financial advisers’ sector need, but often can’t afford to have in-house.
But how do you know which provider to choose? The questions you ask are important:
- What are your qualifications? (Check they are real and have industry standing.)
- Have you had experience fighting and recovering from a cyberattack?
- What experience do you have with advising on IT security and strategy? (They should be able to demonstrate they can be your Chief Information Security Officer, not just an IT support person.)
- Do you have insurance?
- What other Financial Services organisations have you partnered with?
Here’s what a reputable Managed Service and Security Provider can do for you:
- Train staff so they are aware of the risks and how to avoid them
- Provide support
- Take care of your IT environment so it is always up-to-date and works the way you need it to
- Competently fight off a cyberattack, because they have the qualifications, skills and experience
- Ensure you have the kind of backup that is safe from attack
- Restore your systems within a short time in the event of a cyberattack.
There is plenty you can do for yourself and your own organisation, including:
- Train your staff so they recognise threats and understand how to safely use your IT resources
- Think security every time you plan a new project. Building-in security from the start is cheaper and more effective than adding it later
- Have a plan for how to recover from a disaster and practice it
- Have policies about safe IT, communicate them and enforce them
Your IT Partner, acting for you as your virtual CISO and your virtual CIO, can help you perform all these tasks to the professional level required to thwart attacks and satisfy client and legal requirements.
The Australian Government has committed to the Cyber Security Strategy 2020 and requires all government departments – and their suppliers – to conform to The Information Security Manual. All organisations – whether they supply government or not – are strongly advised to comply with the Australian Cyber Security Centre Essential Eight guidelines.
Regulators are serious about enforcing cyber-protection standards. For example APRA-regulated entities must comply with CPS 234, which defines cyber-risk-management measures to strengthen security of information assets.
As of 1 July 2020, third parties that handle information assets associated with any APRA-regulated entities also need to adhere to CPS 234, and prove it. This means:
- clearly define security roles and responsibilities for everyone in the organisation
- demonstrate your information security capability
- implement controls to protect your information assets and test these regularly
- recognise the Board is ultimately responsible for ensuring maintenance of information security
Cybercrime is a stark reality. However governments, security services, police and Managed Service and Security Providers are there to help protect you and your organisation from these criminals.
Frances Russell is CEO and Managing Director of FooForce, a Australian Managed Service and Security Provider with offices in Sydney, Melbourne and Brisbane. Its clientele includes organisations across Australia as well as in Asia, the United Kingdom, United States and the European Union. Frances is a qualified and experienced CISO and CIO and an accomplished strategist ready to help your organisation minimise cyber risks. Frances is ISACA certified: CISA CISM CRISC.