Avoiding Cyber Attacks with Technology and Policy

Whichever way you look at it, cybersecurity attacks are an unavoidable fact of life and the finance sector understands this better than any other.

Any discussions that I have with IT Directors or CTOs from hedge funds, prime brokers or investment banks, always comes back to cybersecurity. I can be having a discussion about something completely unrelated like staffing; recruiting and retaining great staff, and the conversation will mysteriously morph into a discussion about the need to recruit a cyber specialists or outsource the role. For some firms, an Information Security Manager is sufficient, but others are going all the way, recruiting Chief Information Security Officers, Chief Risk Officers and Chief Security Officers. These board level individuals are addressing cybersecurity at the most senior level to make sure the firm is as watertight as possible.

These could be a wise hire, as ransomware threats are on the increase, according to KasperskTy Lab in their “2016 Predictions” blog. I was part of an interesting debate recently which I centred around Cryptolocker, a nasty piece of ransomware that has been doing the rounds for a couple of years. Cryptolocker targets users’ valuable data, locking files until a ransom has been paid by the victim. The ransomware wasn’t the shocking part, it was the fact that 90% of the room said they would pay to unlock their valuable files. 90%!

A Sophos blog last year posed the question, “Ransomware – Should you pay?”. The blog outlines the types of ransomware and explains that Cryptolocker uses public-key cryptography where you have separate keys for locking and unlocking files. The crooks generate the lock and unlock keys, send the lock keys to your machine, scrambling your files, but retain the unlock key on their own servers. This means that no amount of searching on your computer’s disk and memory will unearth the unlock key. The only way to get around this is to pay up or lose your files. The writer concludes that it is ok to pay, but it is better not to pay. Sensible advice.

If you have not experienced an attack of this nature, lucky you, keep up the good work. I recommend a cybersecurity review which takes stock of your current estate, and ensures that every application, device and endpoint is protected by an enterprise security solution.

In order to protect all devices, including user devices, network equipment, storage, servers, website, email system and any other communication tools that your firm may have, you will need to build a multi-layered security solution which includes antivirus software, firewalls, a backup solution, encryption software, multifactor authentication to reduce password attacks and mobile device protection. Ensure you keep your licenses up to date too.

Employees are the weakest cybersecurity link and it is crucial that employees understand how their behaviour can affect the whole firm’s security. Professor Pam Briggs, Chair in Applied Psychology and Northumbria University believes that information security is ignored because it is not a key part of most workers’ jobs. Briggs believes that there are a couple of ways to make cybersecurity important to employees. Firstly there needs to be a real threat that affects them personally, and secondly they need to have the time and knowledge to deal with that threat. She recommends using visualisations, examples of how and when other people have experienced a threat. She also recommends rewarding employees for good cybersecurity practice. Combine technology with this advice and some straightforward cybersecurity training and simple, concise policies, and you have a greater chance of successfully avoiding an attack.