Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.
And the effect of cyber-attacks on regulated firms is wide-ranging: disruption to the firm, the potential for large financial losses (the average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, both under the current Data Protection Act and the forthcoming GDPR.
On top of this regulated firms have the added complication of the impact an attack has on their SRA regulatory obligations.
It follows then that risk management around cyber-crime is now a major issue for all businesses. Regulated firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.
Many firms are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management.
This is where a highly structured and methodical approach to IT management becomes critical as it is easy to lose sight of the relentless attention to detail that is needed to manage a regulated firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. Some practical steps that I would recommend every regulated firm implements to lessen their risk of falling victim to cyber-crime are as follows:-
1. Implement an effective security patch management policy
Software vendors are releasing a regular stream of patches to mitigate newly discovered security flaws. Having a methodology to ensure every device on the network receive patches in a timely fashion is vital.
2. Get an INDEPENDENT vulnerability scan carried out to benchmark your cyber security defences
Because it’s very easy to be too close to a system and potentially overlook a security loophole, we frequently get called on to conduct independent security vulnerability scans, or fuller complete security audits for regulated firms. An independent security review by a third party who has no vested interest in the system is more likely to give objective, impartial feedback.
3. Implement a multi-layered data backup strategy
With ransomware now extremely prevalent, effective procedures around data backup are paramount.
4. Review and test your disaster recovery procedures
I see so many disaster recovery plans that, for a plethora of reasons, don’t work when used in anger. Testing is essential to prove all your data is being backed up successfully and that your entire system can be restored in a timescale that is acceptable to the business.
5. Consider Cyber Essentials Certification
The Cyber Essentials scheme is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security.
There’s no doubt that managing the risk around cyber-crime is not easy, and needs dedicated resources and strict procedures which are rigorously adhered to. I think that is probably why so many firms are now moving towards partnering with a specialist IT company to provide this function, someone who can monitor their system from a security perspective at all times and is not distracted by the day-to-day operations of the firm. This is certainly the trend we’re seeing here at Connexion, where we are working with regulated firms to provide all of the above services on a fully managed basis.
If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services which include security vulnerability scans, patch management solutions, cyber essentials certification, backup solutions and disaster recovery solutions, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.
