Financial Institutions and Cybersecurity Risk: Why you need ISO27001

When it comes to law enforcement crime investigations, there is a maxim of, “follow the money”. This broadly means that if you can follow the money trail, it will eventually lead you to the perpetrator of the crime.

In today’s modern society, money has now become a series of binary ones and zeros that are transferred between bank accounts without any real effort on either party, and cybercriminals are fully aware of how easy, and fragile, this process is.

In December 2022, the tenth edition of the ENISA Threat Landscape (ETL) report was released. It is an annual report about the status of the cybersecurity threat landscape, it identified the top threats and major trends observed with respect to threats, threat actors and attack techniques.

In the report they identified the top 5 threats as:

1. Ransomware
2. Malware
3. Social Engineering threats
4. Threats against data
5. Threats against availability: Denial of Service

For most people in the cybersecurity industry, nothing in the above will come as much of a surprise. Almost daily, we hear of some organisation being hit by ransomware, where the targets systems are compromised and data is encrypted and held for ransom. The latest and most public attack is against the Royal Mail in the UK. The LockBit ransomware group was able to disrupt internal mail and parcel services for over two months over the Christmas period. At the time of this writing, systems and services were still not fully restored.

As recent as February, it was reported that LockBit had made further ransom demands of over £33Million, which Royal Mail has declined to pay. The threat by LockBit is that they will release data that they exfiltrated onto the dark web, which of course could further damage Royal Mail and its reputation. 

With eye-watering numbers that run into their millions, is it any wonder that cybercriminals are turning to Ransomware as a Service (RaaS), to make money? After all, there is no such thing as a 100% secure system, and in many organisations, it only takes one unpatched system or one untrained or distracted person to compromise the security capabilities of a business or organisation.

Cybercrime is organised crime

We must not fall into the trap of thinking that cybercrime is being carried out by a few rogue individuals. The money trail is getting longer, and really is paved with gold, and organised crime gangs are turning their attention from traditional street crime to online extortion and exploitation. 

It is for this reason that the Bank of England has provided guidance to financial institutions in the United Kingdom about cybersecurity, which includes the following aspects.

Establish a strong cybersecurity culture

Leadership is fundamentally important to an organisation, and if those who lead the business don’t value the importance of information security and cybersecurity, then no one will.  There is a business adage that states, “culture is what we do, when no one is watching”. It is therefore something that an organisation must develop, over time, by the establishment of both risk and reward mechanisms.  This means rewarding the behaviour you wish to encourage, and taking swift action where the behaviour is undesirable.

To develop a strong cybersecurity culture, it is important to educate those who encounter data about why it is important, and what it means in their role. It’s important that people understand how they contribute to the bigger picture, and this means demonstrable and visible support from the C-Suite, or those in positions of authority. 

It is essential that everyone understands the importance of cybersecurity and are trained, not only about what to look out for, and how they may become victims.

Implement Risk Management Processes

Banks and other financial services organisations understand the importance of risk identification, management, and treatment, and in most cases will already have a robust risk management methodology. But, all too often, this focuses purely on IT security risks, and doesn’t consider threats and vulnerabilities associated with people and processes.  For this reason, organisations should broaden their approach to risk management to ensure that it encompasses people, process, AND technology. Where possible the risk management process should be backed up with tangible data related to real incidents that have occurred internally, or within the sector.

Third-Party Risks

Organisations should ensure they have assessed and understand the risks to them from third-party suppliers, and ensure they have appropriate security measures in place. Like many large organisations, financial institutions often grant third-party suppliers access to their systems, yet security measures are not assessed or verified.  Understanding your third-party risks is therefore critical, as the people you trust most, like your IT, HR, or accounting provider could become your biggest vulnerability.

Conclusion: ISO27001 and the FCA

As you would expect, the Bank of England has offered a lot of advice and guidance related to information security and cybersecurity.  Additionally, the Financial Conduct Authority (FCA) that regulates the financial sector has also offered some great advice too. It is clearly very much in the banks interest to ensure they provide advice and guidance to us, the customer about how we protect ourselves, as much as it is to protect their own institutions too.

The Bank of England provides sound advice, and if an organisation is looking to implement these measures, they would do well to do so by following an internationally recognised method, or system, such as ISO27001:2022.

Indeed, my only frustration with the advice that both the Bank of England and the FCA provide, is that they don’t simply identify ISO27001 as the preferred standard that financial institutions implement to ensure there is an effective and measurable approach to information security and cybersecurity risk management.

ISO27001 is a risk-based approach to implementing technical and operational security measures. It’s as effective in a micro-business with few employees as it is in a multi-national business that employs thousands of people.

Simply suggesting to financial institutions that they should establish a strong cyber security culture, is like saying to a sick person that they should just get healthy. On the face of it, it’s very simple and common-sense advice, but it takes work.

That’s why we need structure. That’s why organisations need ISO27001.