Technology and cyber-capabilities of organisations based in the UK are often plagued by various long-standing weaknesses such as a lack of visibility over key assets, inability to identify or train high-security staff, and inability to prevent lapses while making IT changes.
The UK's Financial Conduct Authority (FCA) recently carried out a cross-sector survey of over 296 UK-based organisations of all sizes to assess their technology and cyber-resilience and to see what steps such organisations are taking to strengthen their IT governance, delivery of change management, managing third-party risks and effective cyber-defences.
The watchdog observed that a majority of organisations are still struggling to overcome three major cyber-weaknesses: people, third-party management, and protecting their key assets. With nearly 80 percent of organisations not having complete visibility of their key assets and their third parties, they are unable to secure such assets from external threats or patch them in a timely manner.
Only 56 percent of organisations are confident of their ability to consistently and regularly review and update their information assets and many do not maintain a continuous review of key assets that are nearing end-of-life, resulting in significant vulnerabilities that result in technology outages and successful cyber-attacks.
Similarly, FCA's survey revealed that only half of all firms maintain a comprehensive list of all third parties with whom they do business and which access their systems and data which explains their inability to assess the criticality of third parties, and the subsequent risk to services they provide. At the same time, only 66 percent of large firms and 59 percent of smaller firms have complete visibility over their third parties’ response and recovery plans.
The lack of information sharing between organisations on cyber-attacks or tactics employed by hackers is also undermining firms’ ability to provide or seek help in the event of a cyber-attack affecting the wider sector. Many organisations, especially smaller ones, are choosing not to share relevant information because of their fear of suffering reputational damage and providing an incentive for other attackers to focus on them.
At the same time, a large number of organisations are struggling to identify staff in high-risk roles such as those who deal with critical and sensitive data and those with privileged system access. Even though 90 percent of UK organisations have cyber-awareness programmes, only 47 percent of organisations who have identified high-risk staff have been able to provide additional cyber training to such employees.
"Given the prevalence of social engineering and phishing as a means of cyber-attack, often targeting these roles, this presents a significant weakness. In many cases this risk is compounded by a simultaneous lack of monitoring of staff activity, so firms are unlikely to detect anomalies in staff behaviour and subsequent activity," the FCA noted.
The watchdog's report also revealed that even though many organisations claim to have mature IT change management practices, 20 percent of incidents reported to the FCA between October 2017 and September 2018 occurred due to failed IT changes. Considering that change management is essential for organisations to incorporate new technologies, the FCA believes that such practices should involve the identification of important business services and the need to focus on recovery plans and customer communications in order to prevent long outages or cyber-incidents.
Commenting on the FCA's findings, Martin Jartelius, CSO at Outpost24, told SC Magazine UK that the findings are not surprising and cyber-resilience will continue to be an issue for many until security is embedded within all processes.
"Quality and safety are routinely being addressed within many industries, yet security is always an afterthought, particularly when tackling risk management. For risk management to work, businesses need to define their core assets which will then allow them to focus on the risks.
"However, if we fail to identify our core assets, which the survey identifies as being a cause for failing at cyber-resilience, we also don’t know where our core servers are or who our staff or third parties are. This means we cannot prioritise and we have to treat everything somewhat equal, which due to the financial reality we operate in, means the defences are sometimes not always adequate," he added.
Welcoming the FCA's report, Ed Williams, Director EMEA, SpiderLabs at Trustwave, told SC Magazine UK that having a water-tight privileged-access management policy is a must for organisations if they intend to improve their security assurance.
"Identifying key staff is imperative, we all too often see ‘credential creep’, where a key member of staff, as they move through an organisation, gains privileges, but the privileges that they no longer require are very rarely removed – leaving them with excessive privileges, this is perfect for an attacker. Adopting the ‘principle of least privilege’ is a must for organisations as they look to increase their security assurance, as processes, people and technology change within an organisation ensuring least privilege will help to remove ‘credential creep’," he said.
Tim Sadler, co-founder and CEO at Tessian, believes that the effectiveness of organisations in responding to spear-phishing attacks requires additional focus on the methods used by hackers to deliver malware and the tricks employed by them to make victims' take certain actions.
"In recent years we have noticed a growing trend of well-crafted spear-phishing emails being used to target specific individuals within organisations. These emails often impersonate trusted relationships and are designed to get past legacy defences, making them much harder to identify as a result.
"Many organisations have invested in tools to identify malware and malicious links sent over email, yet we see attackers regularly getting through. As sophisticated spear-phishing techniques become more common, organisations should invest in defences like machine intelligent platforms that are able to identify impersonation automatically, allowing them to stop attacks at source," he adds.
In its report, the FCA said that it has evidence to state that organisations are not reporting a large number of cyber-incidents and are not complying with the major incident reporting guidelines. In 29 percent of the cases that were reported to the FCA between October 2017 and September 2018, firms are yet to inform the FCA about the specific root causes of such incidents.
According to Sadler, one of the reasons firms may not be reporting cyber-incidents is because their employees may not be flagging them in the first place, especially if the incident is a result of a mistake they made. "Contrary to the popular belief that cyber-security and data breaches are all due to malicious attackers trying to break into an organisation and steal data, inadvertent human error is likely to be the biggest reason why a company loses data.
"Therefore, it’s crucial that companies eradicate any culture of fear around self-reporting a cyber-incident. If employees fear punishment or dismissal, they are less likely to quickly come forward and admit to a mistake, which only exacerbates the situation," he added.
According to Matthew McKenna, VP EMEA at SecurityScorecard, under-reporting of cyber-incidents to the FCA is because of various reasons such as significant brand and financial impacts to organisations following a disclosure, organisations waiting to understand root causes of cyber-incidents prior to reporting such incidents, and the long time taken by organisations to detect a breach, thereby delaying their cognizance.
"Underreporting will continue to be a problem if the focus is on shaming those who fail. The interesting part should be the lessons learnt from the breaches and what steps are taken to prevent recurrence. That’s what holds value to the public. Instead, we focus on hindsight, sensationalism and hunger on how many credit cards leaked, what potential fines may or may not be imposed and almost nothing is learned from the incident," said Jarnelius.
"Many of the fixes are similar, but instead we are stuck in a primitive focus on blame and incident rather than looking at patterns and learning. The intentions of legislation have been to force organisations to inform individuals when their data is affected, but as a potential benefit, it would have allowed this collective growth, but it’s a shame it’s largely wasted."