UK finance sector cyber security pros admit shocking practices

Two-thirds of UK information security practitioners admit to cyber security practices in their organisation that would “shock outsiders”.

This is the key finding of a survey of 201 UK-based IT security professionals who work in the financial services industry, commissioned by virtualisation and cloud infrastructure firm VMWare.

The survey indicates that IT security professionals in financial services firms are losing the battle to keep vital data safe against a rising tide of cyber threats, with 90% of respondents stating they have to make compromises which could leave other areas exposed when protecting their organisation against cyber threats, and half admitting that they do this regularly.

As the financial services industry continues to digitise, the study suggests too great a focus is placed on protecting the more visible consumer services, such as customer websites, potentially leaving exploitable holes surrounding internal systems and trading data.

Findings show that while there is a huge focus on protection for e-banking and customer applications, 71% of respondents said this is often at the expense of other systems.

The head of Europol, Rob Wainwright, is on record as saying the technological capability of some cyber criminal groups threatens critical parts of the financial sector, and because financial institutions store consumers’ and enterprises’ most critical, personal and private data, they are a highly attractive target for cyber criminals.

In the light of this fact, the survey report said the findings indicate a need to balance financial organisations’ rapid digital transformation with stringent cyber security practices.

There also appears to be a sense of frustration in the direction those responsible for defending against security threats received, alongside a lack of understanding from leadership teams of the potential for breaches, the report said, with 53% of respondents saying they do not believe their leadership team understands the complexity of the cyber threats they are facing.

A quarter of respondents said the impact of cyber crime is simply treated as a cost of doing business, while 62% said they struggle to secure funding for urgent cyber security projects, and 65% said the stress associated with their role is difficult to cope with.

Ian Jenkins, head of network and security at VMware in the UK, said that in chasing the digital promised land, financial services organisations run the constant risk of overstretching already antiquated security infrastructures.

“Those on the front line defending against cyber threats clearly feel there are significant flaws ready to be exploited. This should act as a wake-up call that there are serious risks to data if security isn’t baked into everything the organisations do. Ignoring them and the compromises they’re having to make could be hugely damaging.”

Richard Bennett, European head of accelerate and advisory services at VMware, said the past era of compromise towards cyber security must end.

“A revised approach to protecting digital assets, starting at a security by design philosophy, is required to allow IT security professionals to dynamically manage the myriad of threats now faced,” said Bennett. 

“This involves understanding that cyber security does not begin and end with IT, but is a challenge for the whole organisation. It is also about recognising that adaptive networking, applications and systems are no longer nice-to-haves, and that cyber hygiene is intrinsic to a company’s digital footprint today.”

In June 2017, a report by security firm McAfee and analyst firm Ovum said financial services organisations have developed unsustainable security infrastructures, characterised by a huge proliferation of tools, which lengthens response times and reduces effectiveness.

In an attempt to improve the cyber security of financial institutions in the UK, the Financial Conduct Authority (FCA) plans to introduce rules in August 2018 that will require banks to publish details of major security and operational incidents to expose the weaknesses of those with outdated IT infrastructures and compel all banks to be honest about the level of cyber security problems.