- Security TWENTY
- Women in Security Awards
Cyber resilient supply chains are the number one priority for banks this year, writes Jonathan Wood, pictured, CEO of IT firm C2 Cyber.
Despite rising cyber threats across all industries, the risk level in the financial sector is significantly higher. IBM research shows that 23 per cent of cyber attacks are aimed at financial organisations, with a single data breach costing on average US $5.72 million, the second-largest among all sectors.
As cybercriminals perceive banks to be wealthy and more likely to pay out ransoms, they’ve also become a prime target for ransomware attacks. Last year they experienced the highest volume of attacks with a 1,318pc year on year increase. In fact, a top US banking regulator recently cautioned US financial organisations to make sure they have robust policies in place to protect themselves from cyberattacks, due to an uptick in ransomware attacks.
But, while financial organisations scramble to bolster their IT security in response to rising threats, managing risk across the supply chain has never been more important. With attacks increasing fourfold, data breaches across the supply chain are becoming increasingly common and hugely damaging.
Supply chain risk
The exponential rise in digitisation and increase in services being outsourced by banks, particularly to cloud-based vendors, dramatically increases the average attack surface. This makes the supply chain the route of choice for more and more hackers. Today, about 75pc of malicious attacks are due to vulnerabilities in third-party applications.
The SolarWinds attack last year is a case in point for the devastating and widespread impact of a supply chain attack, compromising 18,000 organisations across several sectors including the financial sector, causing downtime of systems, monetary loss and reputation damage.
New PRA regulation
These risks are now translating into regulation, with the Prudential Regulation Authority (PRA) requiring PRA regulated international banks active in the UK to enhance their security controls to manage the increasing risk of cyber threats and adhere to new expectations on outsourcing and third-party risk management. This part of the regulation is designed to create greater resilience and safer adoption of new technological services via third-party suppliers and puts the responsibility of managing risk across the supply chain in the bank’s hands.
But banks only have a few months to get this in place. A recent letter published by the PRA reminded them they must start testing their outsourced operations for cyber security resilience by March 31, to meet the new regulation requirements.
Managing supply chain risk and ensuring compliance
As banks often have hundreds if not thousands of suppliers worldwide who pose varying degrees of risk, analysing your supply chain may seem like an overwhelming task. But there is a pragmatic approach you can take to achieve this efficiently and effectively.
First, identify the risk level of each supplier. To prioritise your supplier segments by risk, adopt a tiered approach to assessment and monitoring using open-source intelligence (OSINT). This is the analysis of publicly available information about your suppliers, such as company records, news and social media accounts. Focus your efforts on analysing and monitoring the suppliers that pose the most risk to your organisation.
Next, taking the high-risk segment, evaluate each supplier’s policies and data security certifications to ensure they’re fit for purpose. Provide them with an online questionnaire to fill in which will enable you to collate relevant security information. Analyse the data to assess and identify any areas of potential risk impact. Then assign each supplier with a risk score and outline the key risk areas that require action, providing recommendations on how to address them.
You can then ask the supplier to perform some remediation actions to improve their security. These can be as basic as activating two-factor authentication across their accounts or ensuring segregation of duties for Admins.
Once the supplier has made any required security improvements, use a vendor risk management (VRM) dashboard for ongoing monitoring. This includes both OSINT monitoring and immediate visibility of any critical risks, allowing you to identify changes and trends. You can then reassess your suppliers as required, to ensure ongoing compliance.
Being prepared for the future
IT leaders need to be extra vigilant this year to keep their banks safe. While hackers start planning their moves, it’s critical that you pre-empt any cyber attacks, plan carefully and secure your supply chain. By identifying high-risk suppliers, analysing their security maturity and then taking the required action to reduce risk, you can avoid severe consequences from critical damage to your IT systems, loss of revenue from downtime and hefty fines from regulators. Only then can banks survive, thrive, and stay compliant.