ICYMI: In late September 2016, APRA released the results of a survey they did on cyber-attacks against businesses in the financial sector. The results were surprising for both industry professionals and customer stakeholders (i.e. everyone) alike.
The 2015/16 Cyber Security Survey Results revealed that more than half of the 37 financial institutions surveyed had been hit with a serious attack in the 12 months before the survey[i]. The survey defined ‘serious’ as ‘sufficiently material to warrant executive management involvement’. These incidents included sophisticated advanced persistent threats (APTs), DDoS (distributed denial of service – hard to filter out) attacks, and ransomware taking over institutional computers and networks. They also included threats to the reputation of the business, such as defacing company websites and social media accounts.
Of the four industries surveyed, super funds reported the highest rate of serious attacks. 75% had experienced an attack, compared to an average of 51%. Only 44% of ADIs (like banks) reported serious breaches – somewhat of a comfort to clients who rely on online banking and apps to make transactions and check their balances.
Larger organisations, like the more prominent banks and super funds, experienced nearly twice as many cyber security incidents in the same period. But even smaller institutions are at risk. According to APRA’s PAIRS (Probability and Impact Rating System)[ii], even smaller organisations that are less complex get hacked – 37% of them, to be exact.
What’s the solution?
Most of the survey respondents told APRA that they’d engaged outside cyber security experts to manage a lot of the protective measures in place against hacking. APRA even noted that this was probably a good idea, as it’s expensive and difficult to maintain an effective in-house team of security experts. But there were a range of opportunities for improvement that involved internal staff.
Survey respondents identified thirteen common scenarios in which cyber security risk management could be improved. Four of them stand out in particular:
- Compromise of data and/or systems by staff / contractor
- Exfiltration of intellectual property and/or market sensitive data for strategic, commercial, or political gain
- Inappropriate or elevated system access
- Social engineering attacks against staff and/or customers (e.g. phishing and spear phishing)
Consulting cyber security organisations can provide advice and assistance on infrastructure and software. But they’re not training organisations. They may help shape internal training policy, but they’re not educators.
That’s where information security education for staff can help bridge the gap. Have a peek and order it for yourself today – you might be surprised what you learn!