The Financial Services Industry is at Risk as Nation-state Attacks are on the Rise

  • Luke Potter, Chief Operating Officer at CovertSwarm

  • 19.05.2023 03:45 pm
  • #security

Statista report released this year, highlighting the distribution of cyber-attacks across worldwide industries in 2022, stated that the finance and insurance industry had the second-highest number of cyber-attacks.  

The report's release has come at a time whereby nation-state attacks are on the rise. According to Microsoft, ‘nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests’.   

We have seen Russians do it with Ukraine, hitting their national grid during times of political unrest as well as during elections and I can confidently say that these types of attacks are only set to rise.  

Many organisations never even consider nation-state attacks while undergoing their risk assessments, believing only the largest of companies will be targeted.  

But this is far from the case. 

What does this mean for the financial sector? 

According to Government figures, the financial services sector is a major source of employment. There were 1.08 million financial services jobs in the UK in Q1 2022, 3.0% of all jobs.  

While in 2021, the financial services sector contributed £173.6 billion to the UK economy, 8.3% of total economic output. The sector was largest in London, where around half of the sector’s output was generated. 

These figures highlight how crucial businesses within the financial sector are to the UK economy at a time when they are also more and more in danger of being cyber-attacked by a bad actor, nation-state or otherwise and everyone is a target.  

The industry is prone to attacks thanks to the wealth of confidential data and information they hold as well as vast amounts of money. Rapid digitalization seen in online banking usage as well as the cloud adoption and vast remote working all serve to make the industry exceptionally vulnerable to attacks, albeit while improving banking capabilities for their customers.  

What can the financial sector do? 

To help defend, go on the offensive. Simulate what these nation-states are doing against your own business and shine a light on your own cyber blind spots.   

We will see a heightening of nation-state interest in cyber attacking as there is a broad range of how these attacks can be deployed.   

Ben Wallace (UK Secretary of State for Defence) and Joe Biden have both been talking recently about their need for offensive security practices - running your annual pen test is no longer enough.  

For businesses, and especially those providing or supplying organisations with critical national infrastructure, the mentality can no longer be about merely testing but attacking. The traditional pen test is a point in time, typically once a year, narrowly scoped engagement running checks for ‘known’ vulnerabilities using common scanning tools and techniques. You need someone who will emulate and simulate the real threats.    

This is a bit of a provocative statement but nobody else is doing this right. Businesses are generally looking at how they think they could be breached and taking a parameter-ed approach as to how breaches are done in their minds. 

How do these breaches occur? 

Typically, it is assumed that breaches will occur via a digital route, say for example your main website.  

This leads to a point in time, narrowly scoped offensive security engagements. Such an approach leaves blind spots and the moment the report touches your desk, it’s out of date. The real actors are constantly looking for ways to compromise your business. They target the whole brand using digital, social and physical routes via multiple attack paths to find a way to achieve a breach.  

A typical, naive, response and approach of many business leaders is ‘why would they attack us or why would we be classed as important? We are a small business - who would come and attack us?’  

Imagine if you were breached, your data was stolen and your business could no longer operate without paying a ransom to the attacker. How would you feel? How would you function? How would your brand suffer being headline news?  

There is a lag in mentality in organisations that are doing things the old and outdated pen test way, setting rules of engagement with their cyber security teams and expecting it to provide a realistic view of how attacks really happened.  

The data tells us that this is a threat that everybody needs to take seriously, with recent data showing that more than 80% of UK businesses suffered at least one cyber-attack in 2021/22. That accounts for nearly 4,000,000 registered companies. 

What are the predictions for the future? 

What I believe we will see in the coming years is an acceleration in bad actors, including nation-states, targeting organisations that provide software or services that would give the adversary or nation an advantage if that organisation was taken out.  

Hence why this is a threat the financial services industry needs to sit up and take notice of. 

There's a sense of embarrassment in businesses that have previously been cyber-attacked. Headlines are filled with something else rather than the story of what is actually happening.  

The key issue is that so many businesses take the stance that it won’t be them that get targeted. However, the reality is that they are already being targeted or have already been breached and just don’t know it yet.    

That’s the real risk. And sometimes the result of that isn’t felt for quite some time. When you get in on a Monday, you know if your fire alarm is working because you will do a test.  

Ask yourself, is your current approach to offensive security allowing you to sleep at night? Or are you worried that you will be breached tomorrow?   

 

Written by Luke Potter, Chief Operating Officer at CovertSwarm, a leading global ethical hacking and cyber security provider.

 

Related Blogs

Security Trends and Predictions for 2023
  • 1 year 11 months ago 09:00 am

Other Blogs