Latest News

  • Home /
  • Latest News

Mitigo - Cybersecurity actions for 2022

1 March 2022
David Fleming, Chief Technology Officer

Millions of cyberattacks will take place across the UK in 2022 and many thousands of businesses involved in financial services will be seriously damaged. The firms which avoid damage will be those that have taken proactive steps to protect themselves. To help you join this group of secure businesses I have outlined a plan below that I hope will help.

Cybercriminals earn huge sums from their activity, and the sheer size of this opportunity means that attacks will inevitably increase in 2022. The advance and availability of attack technology and the use of AI (Artificial Intelligence) means that criminals can now discover and evaluate opportunities in every business, whatever the sector, regardless of the size. So we need to start by understanding your vulnerabilities.

Cybersecurity vulnerabilities in 2022

A successful attack can make money for the criminals in a number of ways. They may trick a human (staff/customer/supplier) into sending money to a fraudulent bank account. Or they may steal something valuable, such as sensitive confidential proprietary or client information, in order to blackmail you into paying a ransom for its return. That confidential information may still then be used to attack you or your clients or extort money from them. Ransoms are also frequently paid in order to regain business functionality, after criminals have encrypted data and systems.

The criminals first find a way into your business through the gaps in your defences (these are known as vulnerabilities). We assess hundreds of businesses a year and set out below are the areas we are currently finding provide most opportunity for the criminals. I suggest you read through the list noting where the risk applies to you.

Remote working. Staff working away from the office provide lots of attack opportunities. Have you specifically reviewed your remote working set-up from a cyber security perspective?

Have a look at the video here for some pointers on how well you’ve set-up your remote working.

Cloud email accounts. Thousands of email accounts are hijacked weekly and exploited by criminals.
 
  1. Authentication methods. Just relying on username and passwords is not enough. Typically over 20% of untrained staff fall for the simulated phishing email attacks that we run for clients. This is how usernames and passwords are stolen.
  2. Spoofing controls. Ask your technical support if they have set-up SPF, DKIM and DMARC. And worry if they don’t know what you are talking about.
Business technology. Some of the biggest attacks last year were from poorly maintained technology.

Software patching. Having an effective patching regime is critical to your cyber resilience.  Two huge cyberattacks in 2021 took place when critical security patches were released by suppliers which in turn notified everyone (including criminals) of newly discovered software flaws. How would you have fared against these two examples and who is watching out for issues that affect the technology you use?
 
    1. https://www.theguardian.com/world/2021/jul/19/what-is-the-hafnium-microsoft-hack-and-why-has-the-uk-linked-it-to-china
    2. https://www.wired.com/story/log4j-flaw-hacking-internet/
Staff digital behaviour. Most successful attacks rely on human error at some stage, which is why staff training combined with proper governance is so important.
 
  1. Passwords. How disciplined are you? Do staff use strong passwords, and do they know how dangerous it is to use work emails and passwords for non-work purposes? And do you really know if the rules you set are being enforced?
  2. Information transfer. Are you really in control of the way data is transferred and stored? Or might we find company information in G-drives, Drop Boxes, and on WeTransfer?
  3. Speed & trust. How quick are staff to trust and press links on their mobile phones? Might your staff fall for the criminals’ ever more sophisticated tricks?
Cloud services. At its worst, cloud can mean loss of control and lack of risk visibility.

Have a look at the video here for some pointers on how well you’ve set-up your cloud services.

Supply chain weaknesses. Third parties who provide services to your organisation are often one of the weakest links in your cybersecurity. Most commentators are predicting a growth in supply chain attacks this year. This article from the NCSC is a good explanation of the risks involved.

Cybersecurity action plan for 2022

Cyber security vulnerability assessment. You must start by identifying your biggest risks and the vulnerabilities that need closing.

The list of common vulnerabilities mentioned above is a good starting point for this process. Consider how well each of those areas has been set up. Do you have evidence that cybersecurity has been properly considered? Make sure you review where your valuable information is kept and the way your payments process operates, as these are common targets.

You may have heard of cyber security buzz words like penetration testing, vulnerability assessments, and network security scanning which will all help you assess your vulnerability to attack. A good starting point would be to use our assessment tool here.

Cyber security policy. Define how the business will work to reduce risk, e.g. what is acceptable personal use of a work device.

We recommend that you define your policy in key areas. Examples include - digital usage & behaviour, passwords & access management, and information storage & transfer. Then make sure all staff are aware of the rules and what is expected of them.

You must have in place a defined policy for software patching, back-up testing and virus protection to include clarity on actions and responsibilities. It is then important that you find a way of measuring compliance.

This may sound onerous but it is absolutely necessary and it is an expectation of the FCA and the ICO.

Vulnerability closure, strong controls, and alerts. Once you have completed the steps above, you need to make sure you close the vulnerabilities identified, that technical policies are implemented and that the right system controls are set up to protect you. It is essential that someone suitably qualified advises on how properly to configure your software and hardware from a security perspective.

The work here obviously depends on how your business operates, but here are just 3 examples of what we look for during our assessments.
 
  1. Anti-virus software – is it on every device; is it being kept up to date; can it be locally switched off; has it been ‘loosened’ too much and is someone centrally viewing the critical alerts?
  2. Windows network patching – are Windows patches being deployed on time to laptops, PCs and servers? How long can a laptop go without a critical patch being deployed?
  3. Email account login failures – if you are on Office365 someone should be being alerted to suspicious login attempts and you should be configuring the controls to restrict who has access to your systems.
Cyber security training. Make sure that regular training keeps staff alert to the risks. It’s time to invest in some really good cybersecurity training and we believe that getting simulated attacks done frequently, will improve your cybersecurity culture.

Incident response planning. Yes, the worst does sometimes happen. In most cases that I have been involved with, fast, pre-planned emergency response arrangements can massively reduce the impact on your business. This is a subject for another article but start by getting the key people in a room and discussing how you would go about dealing with a ransomware attack. Write down your plan, communicate it and practise it.

Paradigm has partnered with Mitigo to offer cybersecurity risk management services to our members. 

Take a look at Mitigo’s full service offer here 

For more information contact Mitigo on 0161 8833 626 or email [email protected] 

 

16 December 2021

Invesco - Investment Intelligence Seminars 2021 - On demand


14 December 2021

Invesco - 2022 investment outlooks


10 December 2021

Prudential: Case study 3 - Funding for decumulation


8 December 2021

intelliflo - Uncovering the advice gap; the Advice Map of Britain


29 November 2021

Just WIN, WIN, WIN... Thank you


26 November 2021

Blackfinch Energy acquires largest solar farm to date


26 November 2021

ESG at Invesco


26 November 2021

Prudential - International Portfolio Bond – helping your clients help the planet


16 November 2021

Octopus On Film - Diversity and inclusion


3 November 2021

What investors want: Our research on client perceptions of ESG investing


3 November 2021

Mitigo - Why cyber risk management is not the same as IT support


28 October 2021

intelliflo - Why you shouldn’t discount technology for older clients


28 October 2021

Prudential - The year of 2.5 budgets


25 October 2021

Invesco - Small steps to a better future


15 October 2021

Prudential - ISA Case study 1 – Managing volatility with cash


14 October 2021

Prudential On Film - ESG


12 October 2021

intelliflo - How technology will impact the future of paraplanning and advice


11 October 2021

Just: Winners of Just Group vulnerable customer awards announced


11 October 2021

Prudential: ESG Policy for the Risk Managed Passive and Risk Managed Active fund ranges


7 October 2021

Aegon - Thinking ahead: Social care funding and intergenerational advice


13 September 2021

Invesco - Investment Intelligence Seminars 2021 – register now


8 September 2021

Blackfinch Renewable European Income Trust September 2021


7 September 2021

intelliflo - Five benefits of a client portal


7 September 2021

Prudential - Our 'Future-proofing Fridays' seminars are coming to you virtually


6 September 2021

Prudential - New PruFund Support


26 August 2021

PruFund range of funds - EGR and UPR announcement


26 August 2021

intelliflo - The power of deep integrations


25 August 2021

PruFund Planet - Support for your ESG client conversations


23 August 2021

Prudential - PruFund Planet - How are the funds managed?


20 August 2021

Prudential - Download the app for automatic daily valuations through intelliflo


12 August 2021

Prudential - The Great Reset: Why it's time to invest for a sustainable recovery


11 August 2021

Prudential - Planning for education?


6 August 2021

Invesco - It's more about growth than inflation


6 August 2021

Prudential - Sir Isaac Newton’s first law of motion and ESG


3 August 2021

Prudential - PruFund Planet - The power to create the world your clients want


2 August 2021

Prudential - Our 'PruFund Planet - a world of good' seminar is coming to you virtually


21 July 2021

Just on Film - Vulnerable Clients


19 July 2021

Prudential - Pep up your ISA planning webinar


7 July 2021

intelliflo - Future-proofing your technology


2 July 2021

Prudential - Our 'Onshore... Offshore - you decide' seminar is coming to you virtually


1 July 2021

Prudential - New AKG financial strength report and due diligence support


24 June 2021

Prudential - A Spotlight on Asian Bonds


24 June 2021

Invesco - Emerging markets: Innovation unleashed


21 June 2021

intelliflo - Four ways technology can improve client engagement


16 June 2021

Have you looked at our Retirement Account recently?


9 June 2021

Prudential - The importance of sequencing of returns risk for clients taking an income from their pension


8 June 2021

Tax Efficient Review - Updated independent reviews now available


3 June 2021

Prudential - Could our Risk Managed 1 and 2 funds help in de-risking?


2 June 2021

Blackfinch: Adapt IHT portfolios - Q1 Trading Activity


2 June 2021

Prudential: Upcoming Webinars June


28 May 2021

Prudential - PruFund range of funds - EGR and UPA announcement