Governance, risk and compliance 300%

The increase in reported cybercrimes by the FBI since the start of Covid-19. Cybintsolutions

Of course, that’s not enough to counter the threat. Although phishing, distributed denial-of- service (DDoS), and ransomware attacks remain the preferred weapons of choice for cybercriminals, so-called ‘island hopping’ – where supply chains and partners are commandeered to gain access to the primary target, including major financial institutions – is increasingly popular too. “Application attacks and island hopping are spiking as a result of rapid digital transformation,” notes Kellermann. “With that, rigorous testing on the security of these applications is critical. It’s also important that the remediation timetable for hardening security be mandated along with deployment of application controls. Finally, the principle of least privilege should be applied to better control who has administrative rights.” Another potentially destructive practice, meanwhile, is credential stuffing, whereby stolen account credentials are used to gain unauthorised access to user accounts. Typically, this is done through large- scale automated login requests directed against a web application. In 2020, indeed, malware and ransomware incidents rose by more than a third, while there was an over 50% increase in phishing, scams, and fraud, according to INTERPOL. In the insurance claims sphere, meanwhile, Catharina Richter, global head of the Allianz Cyber Center of Competence, describes losses from incidents such as DDoS attacks, phishing and ransomware campaigns as accounting for a significant majority of the value of cyberclaims today.

“Cyberthreat hunting techniques must be expanded, and network security platforms need to be integrated with endpoint protection platforms and solutions.”

Tom Kellermann, VMware

All the same, Richter is keen to emphasise that though cybercrime tends to be a popular story in the papers, more mundane failures can be just as troublesome. “While cybercrime generates the headlines, everyday systems failures and IT outages, [as well as] human error incidents, can also cause problems for companies, even if their financial impact is not, on average, as severe. Employers and employees must work together to raise awareness and increase their company’s cyber resilience.”

Allowed on the cloud

As Richter implies, potential business interruption is evidently a crucial issue in boardrooms up and down the continent, but companies shouldn’t take their eyes off the ball when it comes to bread-and butter-


issues – especially around data security, cybercrime and compliance.

A great example of this principle comes in the person of Jerry Finley. “Data security and compliance has been the cornerstone of our organisation since our inception,” says Finley, CISO at OakNorth Bank. He means what he says. Beyond regularly testing staff on their cybersecurity skills, the bank also conducts simulation exercises and tests throughout the year. The point, Finley says, is “to keep everyone vigilant, and to determine where our vulnerabilities lie”. At the same time, he adds, his bank also provides “regular reminders and guidance to our customers about how to stay vigilant and identify potential fraud”. That’s shadowed by more fundamental changes. In May 2016, OakNorth Bank became the first UK bank to be fully hosted on the cloud – not just ancillary services, but everything, including its core platform. “Our provider is Amazon Web Services, which provides the very best security to its clients,” Finley says. “It invests a lot more in security than we’d ever be able to so we’re glad to be working with them.” The bank has for several years also partnered with Illusive, a computer and network security provider, for several years, helping get insights into the lateral movement of attackers across the bank’s infrastructure. “This capability gives us confidence that we have another layer of defence as threat actors become more sophisticated and learn to evade traditional countermeasures,” Finley explains. “In terms of other factors, the biggest consideration is human error, which is why we have put in place several systems to try and minimise the risk of this.”

Low risk, high reward

This process is ongoing, of course, with Finley stating that his bank is constantly examining other measures to protect both itself and its customers. All the same, he accepts that it’s always going to be an ongoing and uphill struggle. “We know our work will never be done,” he adds. “Attacks are becoming more sophisticated, and hackers are constantly developing new tactics and procedures to circumvent existing technologies.” Whatever the successes of Finley and his team at OakNorth, indeed, the global cost of cybercrime is forecast to grow 15% annually over the next five years, reaching $10.5trn by 2025. And, given the likelihood of detection or prosecution rates of a cybercriminal was recently estimated by the World Economic Forum to be as low as 0.05%, it’s patently obvious that criminals continue to operate in this low-risk, high-reward environment. As the old adage goes, the security of a given network is only as strong as its weakest point. And with the number of data points increasing, due to more people working from home because of Covid-19, organisations would do well to bear this in mind. ●

Finance Director Europe /

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53