Here’s what the financial industry can learn from the UK government’s cybersecurity mistakes

Consumers need to know that their data, information, and assets are protected

Financial firms need trust to survive, and consumers need to know that their data, information, and assets are protected. They trust that their identities will be kept confidential, and they need to trust that critical services can be accessed with little downtime. Financial firms don’t just answer to their consumers but come under scrutiny from regulators, too.

If a firm is hit by a cyber attack, they risk undermining all the hard work they do to keep their consumers and regulators content. And recent Bank of England research shows that financial executives deemed cyberattacks to be the highest risk to the financial sector in both the short and long term.

These worries are understandable. Just this year we’ve seen how online threats and cyber attack attempts have come for larger and more influential businesses and organisations. We only need to take a look at the poor cybersecurity practices on display within the UK government to see how severe the consequences of a cyber attack can be. When Liz Truss’s phone was hacked, attackers gained access to sensitive information including discussions about the Ukraine war with officials. At around the same time, Suella Braverman was caught using her personal mobile device and email address to conduct business-related matters.

How was this allowed to happen? And what can financial firms take away from high-profile cyber security blunders to strengthen their own defences and ensure they don’t suffer severe financial, operational and reputational repercussions?

Cloud protection

Cloud computing adoption within financial institutions is widespread and growing. While firms have been using the cloud to streamline and enhance their internal operations for years, use of the cloud and SaaS applications for consumer-facing services is a more recent phenomenon. All of these activities in the cloud must necessarily remain highly secure and protected at all times. And leaders at financial firms are understandably concerned about the associated risks with increasing reliance on the cloud.

To mitigate against the risks associated with cloud computing, firms should firstly interrogate their current security posture and evaluate their use of perimeter-focused cybersecurity models. In an evolving threat landscape, cloud security needs a more modern, dynamic approach.

For a specific tool to help secure business use of the cloud, financial institutions should look to implement a Cloud Access Security Broker (CASB).  These tools enable organisations to adopt and realise the operational gains of cloud-based environments and SaaS applications while remaining secure and compliant, with the option to integrate their own individual security controls and requirements.

Crucially, CASBs protect corporate and sensitive data in the cloud and on hosted SaaS applications, providing real-time data visibility and security for these services.

Secure communications

In the modern working world, we’re used to firing off messages to colleagues and clients on-the-go, on multiple devices, often without thinking about the implications. While the use of on-the-go communications is liberating for the many firms who have successfully implemented hybrid and remote working policies, the case of Suella Braverman shows that all communications must be secured and sent on approved devices or through approved methods. It’s not enough to just accept that employees will use their personal devices to access corporate data and hope that data remains secure. What happens if that phone is stolen or compromised? And – critically for financial services – what happens if a trade dispute arises and there’s no reliable paper trail of who or what was involved? What might start out as a small cybersecurity mishap can quickly morph into a regulatory, or perhaps even legal, nightmare.

At a minimum, all users should have security software installed on their personal devices if they are used for work. Some businesses or organisations still give their users the option whether to download security software onto their personal devices, but this simply isn’t enough anymore.

Firms should also consider how to keep all their clients’ and employees’ communications protected with a secure communications app – one that protects communications across SMS, voice call, and even popular messaging apps such as WhatsApp and Telegram.

In addition to providing the regulatory and compliance peace-of-mind that financial services leaders need, protecting communications provides additional cybersecurity benefits. With the right kind of protection, mobile communications can be flagged for unusual or suspicious activity.

Securing communications also means ensuring that business-critical information is never sent or forwarded via email over web browsers. Doing so eliminates a huge risk associated with attackers looking to intercept and exploit data that isn’t secure or encrypted. It is paramount that employees keep their business communications, data, and documents separated from their personal devices – unless those devices come with the same protections as corporate-owned devices.

Mobile threat defence

To protect against the kind of cybersecurity problems that faced the British government earlier this year, firms should install mobile threat defence software (MTD) on all devices as a minimum. This software is specifically designed to protect mobile devices against a variety of cyber threats.

With the right mobile threat defence software in place, financial services firms can monitor and prevent attacks before they’ve even reached a device, with strong endpoint detection capabilities that continually assess and monitor live risks. Additionally, firms should look to a solution that encompasses a wide range of cyber attacks to ensure the greatest level of protection. What this means in practice is deploying a MTD solution that protects against malware and phishing attacks, as well as risks associated with user behaviour — such as apps installed outside of approved application stores.

Data protection and customer privacy is critical for financial firms. With this in mind, MTD software solutions can be designed at a granular, firm-based level, ensuring that each individual firm’s specific needs and compliance requirements are integrated within the solution. These requirements are set at the top-level, so they cannot be overruled. And in the unfortunate case of a stolen device or attempted attack, the most critical data and documents remain protected.

Going into 2023 and with cyber threats growing in frequency and severity, all firms should make cybersecurity a priority. This requires adopting the right tools and technologies, controls and policies to protect people, data, and devices. It also means cultivating a strong awareness of cybersecurity among employees and stakeholders. This positions financial firms with a holistic, forward-thinking approach to their cybersecurity strategies that will ultimately help stave off potential attacks and reduce bad practices.