How to reduce risk and deal with a cyber-attack

How to reduce risk and deal with a cyber-attack

Robert Arandjelovic

European Director of Security Strategy at Blue Coat

Views 776

How to reduce risk and deal with a cyber-attack

06.04.2016 08:15 am

When it comes to tackling cyber-attacks, it is important for financial organisations to realise that cyber-crime can’t be dealt with in isolation by the IT department. Traditional security measures, such as anti-virus software and firewalls, are increasingly unlikely to be able to deal with the growing sophistication of modern cyber-attacks. The increase in risk means it is more important than ever for businesses to deal with any threats quickly, due to legislation requirements, the possibility of significant brand damage, and financial fines.

As more financial organisations continue to turn to technology to help their business operate, and with FinTech investment growing 177% in the first quarter of 2014, the tech uptake means that there is now a greater danger of cyber threats as there are more avenues available for attackers. Failure to mitigate this could mean sensitive financial data is at risk. Even with the best security technology in place, there are still plenty of channels for cyber-attackers to exploit, such as social engineering - a technique whereby cyber criminals can, for instance, insert links or attachments into an email, which when clicked on by the user gives them access to sensitive data.

Following an attack, organisations need to assess what has happened, which data has been breached, the systems that have been infected, and so on. But, what is more important, according to the ICO (Information Commission Office), is the assessment of the possible consequences, including how serious these are and how likely they are to happen. An in-house or external incident response (IR) team will then begin their investigation to collect all the necessary data, as well as review traffic, network activity and various log reports. This involves collecting all essential security data and working backwards to find Indicators of Compromise (IoCs) and then using forensic methods such as Lockheed Martin’s ‘Cyber Kill Chain’ to put everything into context. The Cyber Kill Chain, which is considered industry best practice and used by many organisations, or a similar approach, helps organisations attempt to identify how the attack happened, what the full impact is, and how to resolve it.

Discovering an attack

Once a business has discovered that a cyber-attack has taken place, which on average can take the IR team 206 days to detect, they then attempt to contain the issue, learning from it, and trying to prevent any further breaches. If the attack is left undiscovered for too long, then often the damage already done is likely to increase. In most cases, it can take an organisation between 21 and 35 days from the initial detection of a data breach to carry out analysis of the networks and resolve the issue. With this massive window of opportunity, cyber-attackers generally have plenty of time to not only act on their objectives, but to cover their tracks as well; by the time the attack is detected, a great deal of the incriminating evidence has either been removed or can no longer be found in security logs.

Minimising the damage

IR teams are tasked with the delicate balancing act of completely removing the threat as quickly as possible with the need to maintain operations. This is particularly poignant for financial businesses who have customers and clients relying on them. Few companies can afford to grind to a complete online halt, therefore they must aim to quarantine vulnerable or compromised systems to prevent the attack from spreading.

If the attack is on a large enough scale to disrupt an organisations entire service, for example if it was a DDoS attack, then the main objective would be to resume full operations as quickly as possible whilst simultaneously stopping and securing against future attacks. In recent high profile DDoS attacks, even a relatively short outage was enough to result in a significant impact in terms of both costs and customer confidence in the brand. The financial ramifications can be vast, as seen recently by one of the UK’s leading banks who was fined £56 million for a glitch that prevented many customers from being able to withdraw money.


Once the scale of the attack is determined, the business must then decide who needs to be notified, and use their local ICO guidelines to decide if the attack must be made public. Organisations need to be aware that UK laws aren’t the only guidelines they need to keep up-to-date with, further regulation and compliance changes such as EU General Data Protection Regulation (EU GDPR), which is set to come into force over the coming years and more recently the data privacy regulation, Privacy Shield.


Where to start?

Security Analytics and Network Forensics are a good place to start. These solutions record network traffic passing through the network and are able to automatically categorise traffic for in-depth analysis. More advanced solutions enable capabilities such as threat scanning and alerting, and session re-construction to enable companies to see the actual infected file that led to the attack. Meanwhile, Network Forensics plays a vital role in defending advanced attacks, because it allows all the information related to the attack to be viewed in a single place.

Another security mechanism is Sandboxing, which is a quarantine technique that helps IR teams resolve breaches by identifying the threats that have evaded the more traditional defences, such as anti-virus and firewalls. Sandboxes enable organisations to censor files coming into the network and declare them as ‘safe’ before they get passed through signature-based perimeter security controls. Many network security tools lack the ability to scan for threats inside of encrypted traffic, so implementing encrypted traffic management capabilities enables companies to decrypt traffic and forward it to other network security tools for scanning.

The task list

Before being able to declare ‘all clear’, there are a number of steps a company must take. Firstly, identifying the full scope of the attack and what has been lost. Then distinguish whether the method of attack and point of compromise has been stopped along the kill chain. Determine whether the data has stopped being leaked or the infection is no longer spreading. And finally make an inventory of all infected systems and if they have been able to restore them back to normal, preventing any chance of a recurrence. Once these steps are complete, the all clear can be given.

It is therefore important to keep up-to-date with cyber-attack trends and to know what to look for – particularly with the financial sector suffering 300% more cyber-attacks than any other industry. Financial firms need to encourage and understand the development of internal cyber-security policies to ensure that threats are minimised as quickly as they appear. They must assume that their IT systems will be compromised at some stage, and it is the processes put in place that will affect how they deal with the compromise. Investing in the right technology, such as security analytics, implementing strong cyber governance processes and developing IR teams is essential for firms looking to boost their cyber-security capabilities. Without any of this, the door is wide open to cyber-criminals. 

Latest blogs

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

n/a n/a

4 Ways to Protect Your Small Business Against Cyber Attacks

Just because you are running a small scale business doesn’t mean you are beyond the reach of hackers and attackers. Many small businesses have this thought, which is why they do not invest in their cybersecurity. Unfortunately, every year small Read more »

Kirston Winters MarkitSERV, IHS Markit

IBOR transition update: €STR grabs a foothold?

In the latest development in the IBOR transition, on the weekend of July 25th, we saw the major CCPs perform the much-anticipated Euro discounting and price alignment transition from using EONIA to EuroSTR (a.k.a. €STR) for all Euro OTC interest Read more »

Related Blogs

Daria Afanasyeva UTP Merchant Services Ltd

Cybersecurity – Online payments are getting more secure

Ever since we've been able to buy anything we need with just a click of a button on our laptops or phones, online sales have been consistently increasing each year. Just last year, the total value of UK retail sales was £394 billion, with an average Read more »

Tristan Morgan BT

Cyber security trends for 2020

This has been another busy year in cyber security, with hackers targeting business, governments and major cities across the globe. From a financial services perspective, 2019 witnessed a number of high-profile data breaches, some of the largest to Read more »

Amit Purohit LoginRadius

The Death of Passwords [Infographic]

In the beginning days of the Internet, Users had to remember only few passwords: An email, and a  bank password.But with the rapid development of e-commerce, self-service websites and social media, everyone now has to remember and manage dozens of Read more »

Andre Stoorvogel Rambus

Money20/20 Trends: AI, ‘Everyday Commerce’ and Security

The bright lights of Las Vegas have gone out on Money20/20 for another year. As always, the event brought together the biggest names in payments and provided unprecedented insight into the future of financial services. So, after four days of Read more »

Abdul Naushad PayCommerce

Cyber-security in Cross-Border Payments

As financial institutions make significant investments in cybersecurity technologies and systems, the hacking techniques of those determined to break into those systems and compromise information have become even more sophisticated. From the Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel