Cyber threat commonly refers to any risk of financial loss, disruption or damage to the reputation of an organisation resulting from the failure of its IT systems. With such high risk and negative consequences associated with cyber-attacks, it is important to understand how to defend and respond appropriately in the event of a cyber incident occurring.
The Financial Conduct Authority (FCA), regulate and aim to help firms become more resilient to cyber-attacks, while ensuring that consumers are protected, and market integrity is upheld.
In March 2019 the FCA released an industry report on Cyber Security. The report explores the findings of 175 firms, brought together by the FCA to form a Cyber Coordination Group (CCG). CCG group members represented firms from a variety of industries and helping raise awareness, share experiences and innovative practices to support with cyber resilience.
Here, we summarise the seven key insights and practices shared in the final report.
In the same way that organisations would govern any other business activity, the report shared that governance around cyber security is just as important and should provide
s a base line for which security and risk management activities are controlled, directed and communicated. While CCG members found there was no ‘one size fits all’ approach, the broad themes in how to tackle governance were;
Take a top down approach — by putting cyber risk on the executive agenda, educating them and presenting high quality management information (MI) on areas for improvement.
Make language simple — by adopting language that will be understood across the business and appointing champions to bridge the gap between IT and the business.
Think bigger picture — by identifying what data is valuable to cyber criminals and becoming aware of the ways that attacks might occur. Making sure that controls are effectively mitigating risks and using existing standards for best practice.
Fast paced change and increasingly complex organisational structures and operations can make it difficult to maintain control of and manage records of information and systems However, findings from the CCG’s found that without an understanding of what is being protected, it is impossible to take a risk-based approach.
Consider what you know — use existing guidance on GDPR security outcomes and utilise multiple sources of information and perspectives to build a complete and accurate picture of assets that you are trying to protect.
Understand who you work with — If functioning in an ecosystem, understand the interdependencies of suppliers and possible risk posed by any 3rd parties.
Have a whole business understanding — know your business and use past business impact analysis to support any future-proofing plans.
Protection against external threats requires organisations to have suitable cyber security policies, procedures and controls in place. Effectively understanding and protecting the assets an organisation holds can help contain and limit the threat of a potential cyber incident. The group’s insights focussed on;
- Investment in training and continual improvement.
- Management of 3rd party suppliers — by ensuring cyber security is written into contracts so that your responsibility is clear.
- Use Encryption where appropriate and monitor to prevent unauthorised access.
- Be aware of your vulnerabilities — by identifying your digital foot print and any areas of weakness (these factors may continually change). Prioritise areas to fix and be open to the fact that not all legacy systems will be fixable.
- Make cyber security part of your change management process.
In order to protect an organisation from a cyber-attack it is of utmost important to have the correct tools in place in order to detect when systems or business services are in danger. The CCG group suggested that there should be a 2-pronged approach when planning a detection strategy;
Tackle insider threat — by carefully documenting those with data access rights and know their privileges to form a base to identify misuse or unauthorised access.
Establish an effective monitoring regime — prevent attacks by collecting data use logs, applying rigorous controls to make data tamper proof and review and validate data logs to ensure they are working as intended.
To ensure continued protection and to make informed cyber resilience decisions it is important to be aware of emerging threats and to take note and action when alerts are raised. Firms in the CCG shared the importance of the following practices;
Participation in forums for knowledge sharing and pooling insights to be shared with industry peers, which creates a team work mentality and allows for opportunity to learn from others.
Feed Cyber security into planning — use the media to drive the direction of continuous improvement.
If an incident occurs, which is likely and to be expected, the ability to respond and recover quickly is critical. In order to resume business and with accurate data, continuity planning is key and should form part of the risk management and operational resilience model of any organisation. Firms in the CCG share the following insights on response and recovery;
Create scenario led exercises — plan for the worst and assess the impact on your business in worst case to allow you to plan-ahead with business recovery strategies. Additionally, use lessons learnt from previous cyber incidents and to help with response and recovery.
Investigate all incidents and train your team through simulations to keep them familiarised with the end to end process.
Know how to communicate — pre-planning internal and external communications with key decision makers to make accountability visible and help speed up the decision process in the event of a crisis.
Once these six factors are considered, the only way to truly know how resilient the organisation is — is to test it. The CCG firms shared the following testing practice insights;
Create a comprehensive framework that evolves with continuous improvement, doesn’t make assumptions and continually challenges threats.
Invest on testing and training staff — make it easy for staff to report possible threats and after identifying areas of weakness provide staff training then reassess these areas to assess effectiveness.The full FCA report summarised here can be found at; https://www.fca.org.uk/publication/research/cyber-security-industry-insights.pdf