Latest News

  • Home /
  • Latest News

Mitigo - Cybersecurity actions for 2022

1 March 2022
David Fleming, Chief Technology Officer

Millions of cyberattacks will take place across the UK in 2022 and many thousands of businesses involved in financial services will be seriously damaged. The firms which avoid damage will be those that have taken proactive steps to protect themselves. To help you join this group of secure businesses I have outlined a plan below that I hope will help.

Cybercriminals earn huge sums from their activity, and the sheer size of this opportunity means that attacks will inevitably increase in 2022. The advance and availability of attack technology and the use of AI (Artificial Intelligence) means that criminals can now discover and evaluate opportunities in every business, whatever the sector, regardless of the size. So we need to start by understanding your vulnerabilities.

Cybersecurity vulnerabilities in 2022

A successful attack can make money for the criminals in a number of ways. They may trick a human (staff/customer/supplier) into sending money to a fraudulent bank account. Or they may steal something valuable, such as sensitive confidential proprietary or client information, in order to blackmail you into paying a ransom for its return. That confidential information may still then be used to attack you or your clients or extort money from them. Ransoms are also frequently paid in order to regain business functionality, after criminals have encrypted data and systems.

The criminals first find a way into your business through the gaps in your defences (these are known as vulnerabilities). We assess hundreds of businesses a year and set out below are the areas we are currently finding provide most opportunity for the criminals. I suggest you read through the list noting where the risk applies to you.

Remote working. Staff working away from the office provide lots of attack opportunities. Have you specifically reviewed your remote working set-up from a cyber security perspective?

Have a look at the video here for some pointers on how well you’ve set-up your remote working.

Cloud email accounts. Thousands of email accounts are hijacked weekly and exploited by criminals.
 
  1. Authentication methods. Just relying on username and passwords is not enough. Typically over 20% of untrained staff fall for the simulated phishing email attacks that we run for clients. This is how usernames and passwords are stolen.
  2. Spoofing controls. Ask your technical support if they have set-up SPF, DKIM and DMARC. And worry if they don’t know what you are talking about.
Business technology. Some of the biggest attacks last year were from poorly maintained technology.

Software patching. Having an effective patching regime is critical to your cyber resilience.  Two huge cyberattacks in 2021 took place when critical security patches were released by suppliers which in turn notified everyone (including criminals) of newly discovered software flaws. How would you have fared against these two examples and who is watching out for issues that affect the technology you use?
 
    1. https://www.theguardian.com/world/2021/jul/19/what-is-the-hafnium-microsoft-hack-and-why-has-the-uk-linked-it-to-china
    2. https://www.wired.com/story/log4j-flaw-hacking-internet/
Staff digital behaviour. Most successful attacks rely on human error at some stage, which is why staff training combined with proper governance is so important.
 
  1. Passwords. How disciplined are you? Do staff use strong passwords, and do they know how dangerous it is to use work emails and passwords for non-work purposes? And do you really know if the rules you set are being enforced?
  2. Information transfer. Are you really in control of the way data is transferred and stored? Or might we find company information in G-drives, Drop Boxes, and on WeTransfer?
  3. Speed & trust. How quick are staff to trust and press links on their mobile phones? Might your staff fall for the criminals’ ever more sophisticated tricks?
Cloud services. At its worst, cloud can mean loss of control and lack of risk visibility.

Have a look at the video here for some pointers on how well you’ve set-up your cloud services.

Supply chain weaknesses. Third parties who provide services to your organisation are often one of the weakest links in your cybersecurity. Most commentators are predicting a growth in supply chain attacks this year. This article from the NCSC is a good explanation of the risks involved.

Cybersecurity action plan for 2022

Cyber security vulnerability assessment. You must start by identifying your biggest risks and the vulnerabilities that need closing.

The list of common vulnerabilities mentioned above is a good starting point for this process. Consider how well each of those areas has been set up. Do you have evidence that cybersecurity has been properly considered? Make sure you review where your valuable information is kept and the way your payments process operates, as these are common targets.

You may have heard of cyber security buzz words like penetration testing, vulnerability assessments, and network security scanning which will all help you assess your vulnerability to attack. A good starting point would be to use our assessment tool here.

Cyber security policy. Define how the business will work to reduce risk, e.g. what is acceptable personal use of a work device.

We recommend that you define your policy in key areas. Examples include - digital usage & behaviour, passwords & access management, and information storage & transfer. Then make sure all staff are aware of the rules and what is expected of them.

You must have in place a defined policy for software patching, back-up testing and virus protection to include clarity on actions and responsibilities. It is then important that you find a way of measuring compliance.

This may sound onerous but it is absolutely necessary and it is an expectation of the FCA and the ICO.

Vulnerability closure, strong controls, and alerts. Once you have completed the steps above, you need to make sure you close the vulnerabilities identified, that technical policies are implemented and that the right system controls are set up to protect you. It is essential that someone suitably qualified advises on how properly to configure your software and hardware from a security perspective.

The work here obviously depends on how your business operates, but here are just 3 examples of what we look for during our assessments.
 
  1. Anti-virus software – is it on every device; is it being kept up to date; can it be locally switched off; has it been ‘loosened’ too much and is someone centrally viewing the critical alerts?
  2. Windows network patching – are Windows patches being deployed on time to laptops, PCs and servers? How long can a laptop go without a critical patch being deployed?
  3. Email account login failures – if you are on Office365 someone should be being alerted to suspicious login attempts and you should be configuring the controls to restrict who has access to your systems.
Cyber security training. Make sure that regular training keeps staff alert to the risks. It’s time to invest in some really good cybersecurity training and we believe that getting simulated attacks done frequently, will improve your cybersecurity culture.

Incident response planning. Yes, the worst does sometimes happen. In most cases that I have been involved with, fast, pre-planned emergency response arrangements can massively reduce the impact on your business. This is a subject for another article but start by getting the key people in a room and discussing how you would go about dealing with a ransomware attack. Write down your plan, communicate it and practise it.

Paradigm has partnered with Mitigo to offer cybersecurity risk management services to our members. 

Take a look at Mitigo’s full service offer here 

For more information contact Mitigo on 0161 8833 626 or email [email protected] 

 

10 December 2024

Beyond the Budget – Unpacking IHT changes for your clients


4 December 2024

Triple Point Venture VCT - Early bird discount extended


3 December 2024

A Postcard from Boston: Onshoring, AI and the regulation of water


3 December 2024

The second Nucleus UK Retirement Confidence Index


25 November 2024

Investing alongside science to deliver a sustainable world


11 November 2024

Triple Point - What Budget changes to Business Relief mean for clients


4 November 2024

Edwards Lifesciences: shaping the future of cardiac care


28 October 2024

Gene therapy is set to change the face of medicine


22 October 2024

What China’s economic stimulus measures could mean for investors


16 October 2024

Triple Point - Venture VCT announces 2p tax-free dividend


7 October 2024

Triple Point - VCTs: a powerful way to help clients pay less income tax


2 October 2024

The next smart move for your clients


26 September 2024

Puma VCT 13 launches new £50m fundraise


24 September 2024

3 steps advisers can take to close the gender pension gap


19 September 2024

Puma Investments- Launches Puma AIM VCT


18 September 2024

M&G Wealth - Six ways to keep clients invested for long-term success


10 September 2024

M&G Wealth - Dash to cash: why it pays to think longer-term with your client’s money


6 September 2024

Join the Defaqto Future of Advice conference


2 September 2024

Triple Point - Understanding Venture Capital Trusts (VCTs)


28 August 2024

M&G Wealth - Keeping it smooth since 2004


19 August 2024

Prudential - Cost reductions and changes to our Strategic Asset Allocation


15 August 2024

Liontrust - Building a sustainable future with social housing


15 August 2024

Puma Investments - Join our CPD webinar: Closing the gaps: IHT and Estate planning featuring Tony Wickenden


7 August 2024

Liontrust - Plugging into the energy transition


6 August 2024

Defaqto - The Future of Advice - The Defaqto Adviser Conference


26 July 2024

Hello Kitty: A big cat in the investment universe?


24 July 2024

Liontrust – A postcard from Japan: enabling the sustainable transition


18 July 2024

Liontrust - Does a brighter future for housebuilding lie ahead?


16 July 2024

Triple Point – Holistic Estate Planning Strategy for Clients


8 July 2024

Triple Point – Join our CPD webinar: helping investors plan for big life events


1 July 2024

Intergenerational wealth planning for difficult times


24 June 2024

Liontrust Sustainable Investment: Annual Review 2023


19 June 2024

Investing in the energy transition


18 June 2024

Triple Point is partnering with ESG Accord to host a webinar: "A Practical Guide to SDR and Investment Labels for Advisers."


17 June 2024

Latest PruFund monthly investment updates


13 June 2024

Defaqto MPS Comparator: the UK's only accurate MPS performance tool


12 June 2024

Hear about Triple Point Venture VCT - 18th June 2024


6 June 2024

The Nucleus Retirement Confidence Index


24 May 2024

Join us for our Breakfast Briefing with Foresight! June 4th at 9:30am


17 May 2024

Looking forward with optimism


8 May 2024

The retirement income advice red paper


8 May 2024

Liontrust Views: Why smaller can be beautiful for US equities


7 May 2024

CPD Horizon Series: Tax planning for life’s key events


18 April 2024

Liontrust: Opportunities from secular growth trends


15 April 2024

Defaqto Roadshow - The challenges and opportunities of pursuing Income


11 April 2024

Liontrust: US small caps are overlooked and undervalued


4 April 2024

Q1 2024 Rebalance – we think the backdrop is good for stocks


21 March 2024

25 years of ISAs: a quarter of a century of tax-efficient savings and investing


4 March 2024

Stepping out of cash needn’t be daunting


26 February 2024

Managing lifetime wealth – trends in the UK retirement advice industry


23 February 2024

Empowering advice for women in finance


14 February 2024

Tech Matters is here!


5 February 2024

Defaqto upcoming event – Engage webinar 22nd February


1 February 2024

The gender divide in retirement confidence


30 January 2024

SDGs in focus: climate and nature


26 January 2024

Tax year end prep. We’re here to help.


8 December 2023

2023: Another momentous year for markets


8 December 2023

2024 investment outlook


7 December 2023

The 2023 Nucleus UK Retirement Confidence Index


4 December 2023

Paradigm's brand new Technology hub is here


4 December 2023

New service for advisers - Do you have UK clients with overseas assets/liabilities?


30 November 2023

Defaqto Upcoming events - Engage virtual


28 November 2023

Deepbridge Celebrate 2023 Growth Investor Awards Success


22 November 2023

5 reasons why EIS deployment timescales are so important


21 November 2023

November 2023 Asset Allocation Changes: Bonds looking better


20 November 2023

Blackfinch portfolio company Tended named ‘one of the best inventions of 2023’ by Time Magazine


10 November 2023

Value tracker: Where are the cheapest/most expensive stock markets?


9 November 2023

The Asia opportunity – looking for smarter growth


3 November 2023

The big headlines of quarter 3 2023


1 November 2023

Just launched: Octopus Titan VCT


24 October 2023

Understanding Portfolio Management


17 October 2023

It is fair to say that 2023 to date has been a slow year across the Venture Capital (VC) sector


11 October 2023

VCT’s evolving client profile: take another look at your client bank


6 October 2023

Death Benefits


5 October 2023

intelliflo - Building stronger client relationships through technology


4 October 2023

Puma Investments opens £50m fundraise for Puma VCT 13


3 October 2023

Family wealth planning - connected through you


29 September 2023

How well do you know your clients? (Survey + Amazon voucher offer)


25 September 2023

NOW OPEN – Octopus AIM VCTs are open to new investment


14 September 2023

Defaqto ‘Asset allocation – stick or twist’ roadshow


1 September 2023

New maternity law – are you ready?


17 August 2023

Artificial Intelligence: Jobs created or jobs destroyed?


10 August 2023

The big headlines of the second quarter 2023


7 August 2023

Cashflow modelling integral to the advice process


2 August 2023

Asian and emerging markets


28 July 2023

Investment Intelligence Seminars


25 July 2023

Embrace technology to focus on the value of advice


25 July 2023

Emerging-market debt: a potential source of protection and diversification?


21 July 2023

2023 Mid-year Investment Outlook


18 July 2023

25 years of the £2 coin - worth half its value to UK consumers since circulation


5 July 2023

Product and Platform Switching and The Consumer Duty


28 June 2023

How do we invest in the ESG themes range


16 June 2023

eAdviser Index proves the transformative power of technology


8 June 2023

10 tips for the countdown to Consumer Duty


1 June 2023

The easiest financial product to promote


31 May 2023

Invesco's flexible approach for navigating market uncertainty


15 May 2023

Our platform, your way


26 April 2023

Defaqto Spring Roadshow


24 April 2023

Adding value for your clients – Cash flow planning


21 April 2023

PruFund Growth and PruFund Cautious Client Facing Reports


19 April 2023

Puma VCT 13 hits £50 million fundraising target


17 April 2023

Book your free office lunch today


13 April 2023

What next for Open Banking?


22 March 2023

The future of adviser technology


14 March 2023

Property Insight: Commercial Real Estate is always late!


28 February 2023

Technology and the advice journey


23 February 2023

Get ready for tax year end


21 February 2023

Capability, low-cost and choice -retirement planning made easier


3 February 2023

Tax Year End Prep – PRU are here to help


1 February 2023

NOW OPEN – Octopus Ventures Knowledge Intensive EIS Fund


18 January 2023

Listed infrastructure… to the rescue


17 January 2023

Defaqto Engage – CIC Compare