Information Risk - an emerging crisis in financial services or here already?

Eliza Hawthorn August 29, 2013

Abstract: Information is collected, stored and used through digital media. Our businesses rely on information in this digital space - information that we use to conduct our day to day business; information that lets us make decisions or do things better than our competitors; information that we need to protect and share to comply with the law and regulations placed upon us. There is a growing cyber threat to this media and I agree with the recent KPMG report that a cyber attack could be the next big crisis to befall the financial services sector. But I also contest that cyber, or more accurately information, incidents are already here and having significant impacts across the sector. We need to act now to stave off the near-term and longer term risks.

Many of you reading this will have, like me, read the recent report by KPMG warning of a cyber attack, or massive system outages (which themselves, of course, may or may not be caused by a cyber attack), as being the next catastrophe awaiting the financial services sector. If not the report then you will have probably caught an article about it (such as this one by Computer Weekly, that stated "Cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch". The KPMG report provides some interesting facts and figures on the escalating cyber issues, such as increases in online account fraud.

This got me thinking as to the wider information risks that financial services face. Information is essential for financial institutions to conduct their business. Information is usually held on ICT systems. Manual interaction with the ICT systems, or automated systems, trigger actions based on that information. So whilst we are dependent on the systems themselves, it is the information which is of paramount importance. Arguably, it is the information we need to conduct our business, ICT just streamlines the operations. If we had the information we could, arguably, continue a semblance of our business. So is it right to look at cyber risk, which tends to lead us into the world of IT security, or is cyber risk a sub-element of a broader information risk, which is a much more prominent business-led activity?

Good information management is about having the right information in the right place at the right time and using it effectively - that is protecting it as it gives us a source of competitive advantage, and sharing it when we need to or when it will lead to enhanced business value.

A look over the fines that the FCA or ICO (Information Commissioners Office) have issued recently shows that companies are not getting the right information and / or not keeping it or getting it to the right place at the right time. The conclusion: Information incidents are here and already causing much disruption.

The ICO have, to date, predominantly fined councils and healthcare organisations, but they have issued 3 fines to financial services organisations, as well as some to energy organisations and law firms.

Whilst the ICO fines for breaching the Data Protection Act, a maximum of £500k, may seem relatively insignificant to a large financial services organisation, there can be more significant impacts. In this world of growing on-line banking and fraud, information security has been a source of competitive advantage. I Now I for one consider the security of my personal information when choosing an on-line bank. Banks recognise this consumer behaviour (it isn't just me!) and for some time have deployed variations of passwords, card readers, random password key generating tokens, secret questions and so forth to promise their customers the most secure account log in. So a fine from the ICO, which effectively says to the market "this organisation doesn't look after your personal data quite right" can have far more severe financial impacts than just the fine with loss of reputation, and therefore customer retention and attraction, impacts.

FCA fines are far more significant but rarely are they talked about in information incident terms. Here are some of the top 10 fines issued that could be construed as information incidents.

CPP were fined £10.5m for mis-selling insurance in 2012. One of the two primary reasons, rather ironically, was that CPP "overstated the risks and consequences of identity theft during sales of identity protection". This case of mis-selling could easily be classed as an information incident - a case of not having the right information and not sharing it appropriately with their customers.

Shell were fined £17m for market abuse in 2004, in which FSA accused Shell of making "false and misleading announcements" in relation to its oil and gas reserves. A case of having, we assume, all the right information to hand but sharing the wrong information with key stakeholders.

Goldmann Sachs were fined £17.5m in 2010, where a breakdown in communications led to the FSA, as was, not being informed of an individual working in the UK who was subject to serious fraud charges in the US. Again an incident of not sharing information appropriately.

Of course, who could forget UBS who were fined nearly £30m in late 2012 for serious weaknesses in controls that led to losses of over £1.5bn during three years of illicit trades by a relatively junior employee. Arguably, weak information systems and poor information risk management led to the company not finding, or analysing, data to provide actionable intelligence to identify the issue earlier and address it.

Prudential, in March 2013, were fined £30m for not informing the FSA of a planned acquisition in a timely manner. Another case of not using information that existed in an appropriate manner.

The FSA, as was, has also issued fines directly related to losing customer data, for instance Zurich being fined £2.3m for losing the personal data of 46,000 customers in 2010.

What does all this tell us? Well, we started this exploration of information risk from the recent KPMG report that suggests a cyber attack could be the next big crisis in financial services. I contest that the issue of cyber, or information, incidents is here already. Fines for not controlling our information, and the subsequent reputation and share price damage, have been happening for years - those listed above total over £100m and it would be easy to add more to the list. If we don't get a good control of our information systems (which include people and physical premises, not just IT) now, we will continue to suffer increasing fines and reputational damage in the short term, and fail to protect ourselves against the next big crisis just around the corner.

Secure Data Sharing

Eliza Hawthorn August 8, 2013

I’ll Send You that File How many times each day do you say, “I’ll send you that file” or something very similar? If you are anything like me, more times than you want to admit. We all share data daily and the frequency and amount of data shared shows no sign of diminishing, if anything file sizes and quantity just keep growing year on year.

With all this movement of data do we ever stop and think just what it is that we are sending across the internet? How many of those shared chunks of data contain sensitive information? Now you don’t have to be working for MI5 to have sensitive information, we all have such data on our PCs, laptops, iPads etc. Personal information such as bank account details, contracts even very simple stuff like friends addresses, telephone numbers. In a world where identity theft is a very real and growing problem should we not be taking much more care of this data? I for one think we should.

Identifying the Threat It is easy to become paranoid when you start thinking about cyber security, assessing the risk is not always as easy as you would think. For instance; what are the risks of sending a clear text email?

Well firstly your email will travel across the internet via any number of servers before it reaches your intended recipient. At each of these servers it is possible for the data to be read and copied, even read and amended. Now this is generally not the case, however conceptually it is possible. I’m sure big brother is reading all our communications these days, justified as part of the fight against terrorism. But concerns about interception are just part of the story. Copies of your emails are generally saved as sent items, this can be on your device but equally it can be on your internet provider’s server. What level of security exists there? And as the receiver of that email how certain are you that the sender is who you think it is?

So you see just looking at one possible way we share data it isn’t easy even feasible for us to truly evaluate the risk. What we tend to do is just press send and then forget about it.

Responsible Adult Is it good enough to carry on like this? As responsible adults should we be doing more to protect ourselves, our friends and our business partners from becoming the target of some sleazy cyber-criminal? We definitely should! Just recently I was subjected to an identity theft attack and I can tell you it was no fun sorting that one out. So what should we be considering?

Secure Email and File Transfer The obvious answer to all of these concerns is data encryption. And before you say it, it doesn’t have to be complicated, costly or impossible to understand. The latest generation of email encryption products offer real ease of use some additionally allow the encrypted transfer of even very large files all in just a couple of clicks. Now if you have ever tried using email or file encryption in the past you are probably thinking apart from all the complexities involved I’ll have to get my friends and colleagues to buy into the same product so this is a non starter. Well you might be surprised to learn that some secure email products such as Egress’s Switch offer all the above functionality and more, whilst being free to use as the recipient. So there really should be no excuse.

Summary Well I hope this has given you food for thought. Don’t wait until you become the target of an attack. Take responsibility for securing your communications. No one will thank you for allowing their personal data to be left at risk. Do it today.

Cyber crime and cyber espionage could cost $100bn every year

Eliza Hawthorn July 25, 2013

The cost of cyber crime and cyber espionage could amount to as much as $100bn every year with some 500,000 lost jobs in the US alone, according to a new report by security software vendor McAfee and the US Center for Strategic and International Studies. (CSIS)

The report, titled 'THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE' was compiled with the aid of economists, intellectual property experts and security researchers.

"Losses to the US (the country where data is most accessible) may reach $100bn annually. The cost of cyber crime and cyber espionage to the global economy is some multiple of this likely measured in hundreds of billions of dollars," reads the report, which classified malicious cyber activity into a number of different areas.

[VIA]

Security & Risk: Data Management

Eliza Hawthorn March 15, 2013

By: Allison Morris from OnlineCollegeCourses

With practically our whole lives stored online, it's no wonder 3 in 4 Americans have been or will be the victim of cyber crime. According to "Hacked," an info graphic posted OnlineCollegeCourses.com, in one year, about $1 trillion in intellectual property was stolen worldwide. In fact, over the last 12 months, it's estimated that 90% of businesses had their computer systems hacked, and 77% were hacked more than once.

In addition to large companies, universities are also a target for hackers, given their large student databases. In 2012, more than 100 universities had students' personal information stolen. These include prestigious schools such as Harvard, Cambridge, Stanford, Princeton, and more. The personal information obtained from these databases can then be sold on illegal trading sites and may be used by marketers.

Mobile apps and social networking accounts are also commonly hacked. In fact, about 600,000 Facebook accounts are hacked each day, or about seven every second. As for apps, 92% of the top paid apps for iOS have been hacked. This figure was 100% for Android. Hacking apps allows cyber criminals to disable security, create pirated copies, or replace the app with a malware-infected version.

So with hacking running rampant, how can you protect yourself? The best course of action is to create a strong password. Do not use a password that is easily guessed, such as 123456 or abc123. Even a personalized password of six lowercase letters can be cracked by a hacker in approximately 10 minutes. Instead, it is best to choose a password that has a mix of lowercase and uppercase letters, numbers, and symbols. Also, it is smart to change up your passwords from account to account. That way, if one is compromised, hackers can't have a field day with the rest of your accounts.

Graphic Provided by: http://www.onlinecollegecourses.com/

CYSPEX Breakfast Briefing is a Success!

Andrew J Smart March 5, 2012

CYSPEX Cyber Security Breakfast: From Threat to Solution

Is your organisation leveraging the competitive advantage of a positive cyber security culture? What is your organisation doing to promote cyber security and support the Government in making the UK the world's leading market place? It’s a fine line between protection and enablement – how is your organisation dealing with the cultural and behavioural impacts?

These questions and more were raised at the CYSPEX Cyber Security Breakfast held at the Houses of Parliament on the 1^st March 2012. It was a full house with attendees from the government, private sector and academia providing insights and responses to some of the challenges facing the UK in Cyber Security.

The event was sponsored by Templar Executives and Stratex Systems. Andrew Fitzmaurice, CEO, Templar Executives, introduced the speakers and set the scene explaining, “Today’s briefing is designed to promote the holistic approach required for effective cyber security and to hear from those in the public and private sectors who understand this and are actively contributing to the National Cyber Security Strategy".

Key note speakers included; Andrew Miller MP and Chair of the Science and Technology Select Committee, Adrian Leppard, Commissioner of Police for the City of London, John Cook, Head of Defence Security and Assurance Services, Ministry of Defence, Simon Parker, Chief Information Officer, Babcock International Group PLC and Rena Lalgie, Deputy Director of Cyber Security, Department for Business Innovation and Skills. Both Baroness Paul Neville-Jones (Special Representative to Business on Cyber Security) and Lord Errol supported the event and participated in the lively audience debate that followed. All of these attendees are prominent in the actions they are taking to develop the UK’s Cyber Security maturity response.

Andrew Miller MP opened the session by highlighting it is imperative for government and business to work together to tackle the cyber threat which is growing and “increasingly complex and dynamic”. Commissioner Leppard re-enforced this by stating that last year alone, fraud cost the UK economy £38.6billion.

Commissioner Leppard outlined the plans of the Economic Crime Unit and National Fraud Intelligence Agency and the steps they are taking to centralise the capture of fraud intelligence. The Commissioner concluded by saying; “the threat of internet crime is increasing exponentially and whilst both the government and the private sector have responded positively to this challenge we have got to keep the pace going” a view that was echoed by all speakers.

John Cook from the MoD and Simon Parker, CIO of Babcock shared the approach that their respective organisations are taking to increase their Cyber Maturity capability. Simon Parker explained that technology was only part of the picture; to be effective the culture of the organisation needed to be changed by carrying out training, at all levels, to raise awareness. Both the speakers concurred that organisations need to do more to articulate their information risk appetite and manage risk in accordance with that appetite.

John and Simon also emphasised the need for the board to endorse a Cyber Security strategy and drive change from the top. Implementing effective cyber security requires everyone within an organisation to be accountable and take responsibility for understanding the threats and vulnerabilities they face and how they can prevent them. Addressing the supplier market, John Cook said suppliers need to “take action to ensure and demonstrate they have sufficient cyber security measures in place in what is a dynamic challenge that none of us can afford to ignore.” It was noted that those suppliers who did take action were not only contributing to the overall aim of the National Cyber Security Strategy – making UK Plc the place to do business – but also gaining a competitive advantage.

Rena Lalgie called for a shift in emphasis so that cyber security is seen as an enabler for economic prosperity and that there needs to be a focus on galvanising and partnering with the private sector to deliver the change necessary in this area. Cyber security should be an integral part of how companies manage their corporate risk.

In his closing remarks Andrew Miller MP commented on the next generation of the UK workforce and observed “the missing link is in education; technical and practical skills and behavioural change need to be taught and embedded in the education process. We need to shift the dynamics so young people grow up knowing how to protect their own work and are used to working in that way.”

To find out more about the speakers and CYSPEX please visit the CYSPEX website www.cyspex.com

StratexSystems Partners with Cyber Security Experts to Develop Strategic Cyber Security Solution

Andrew J Smart December 12, 2011

StratexSystems, a provider of integrated strategy execution and risk management solutions is pleased to announce the launch of CYSPEX (Cyber Strategic Programme Execution), a unique, comprehensive cyber security solution designed to provide boards and senior executives with a holistic view of their organisational cyber security status.

Developed with the combined Cyber Security and Risk-Based Performance Management expertise of Templar Executives (www.templarexecs.com) and Manigent (www.manigent.com), CYSPEX enables organisations to monitor and implement the delivery of their cyber strategy while managing and mitigating the organisation’s cyber risks in line with their risk appetite. Not only does this ensure your organisational information is secure and managed through its lifecycle, it also means information is delivered in a timely, relevant and valued manner.

An organisation’s value is increasingly made up of its information assets, such as patents, designs and custom databases, and how well they exploit them. As a result, these are increasingly coming under attack from a range of individuals, including commercial and governmental parties. In this environment, cyber security has to be a board level responsibility and solutions must deliver tangible business benefits.

Recent figures show that 92% of large organisations are currently experiencing losses from cyber incidents[1] which involve their information being lost or stolen and infrastructures being taken offline, or more worryingly, taken over. Poor cyber security can cost your business directly, through fines and litigation fees, and indirectly, by damaging your brand value, competitive advantage, productivity and revenue streams.

As experienced Risk Management Software Providers, StratexSystems are aware of the impact cyber risk can have on businesses: CYSPEX (Cyber Strategic Programme Execution) is a unique and comprehensive cyber security application designed to provide boards and senior executives with an holistic view of their organisational cyber security posture. Developed with the combined Cyber Security and Risk-Based Performance expertise of Templar Executives and Manigent, CYSPEX enables organisations to monitor and manage the delivery of their cyber strategy while managing and mitigating the organisation’s cyber risks in line with their risk appetite. Not only does this ensure your organisational information is secure and managed through its lifecycle, it also means information is delivered in a timely, relevant and valued manner.

StratexSystems CEO and Founder, Andrew Smart said: “We are excited to be partnering with Templar Executives to develop this innovative cyber security solution. Cyber Security is moving up the agenda of our clients but we believe there is a need for a strategic approach which is aligned to business strategy”.

Templar Executives CEO and Founder, Andrew Fitzmaurice said “The UK Government and UK PLC are increasingly recognising the holistic nature of the range of threats posed by cyber-attacks, and every day we seem to wake up to reports of another cyber security breach. Indeed, recent events such as the Stuxnet incident, and incidents at leading organisations such as HMRC, HSBC and Zurich Insurance plc, demonstrate the need for a comprehensive solution which enables a mindset change regarding Cyber Security. With our partners, StratexSystems we believe that CYSPEX will provide, for the first time, organisations with an opportunity to develop that much needed solution”.

www.cyspex.com

[1] State of Security Survey, 2011, Symantec

StratexSystems

Enterprise Governance, Risk and Compliance Software