Building societies operate in a highly regulated market where any data breach can lead to significant operational, financial and reputational damage. How can you implement cyber security measures that will protect your building society from data breach?
Like all organisations, building societies have come under increasing attack from hackers over the past 18 months. In order to protect their members, they need to put cyber security measures in place that mitigate the risk of leaking personally identifiable information (PII) and money.
And what’s more, regulatory authorities – the FCA and PCI – and regulations like GDPR are starting to issue punitive fines to organisations that fail to implement adequate cyber security measures. In 2018, the FCA fined Tesco Bank £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack that occurred in 2016.
In this blog, we’ll provide an overview of how building societies can implement measures that will help them avoid the operational, financial and reputational damage of a data breach.
How Are Hackers Targeting Building Societies?
With many of us working predominantly remotely since 2020, hackers have evolved their tactics to take advantage of organisations’ increased attack surfaces as users have strayed beyond the relative security of the corporate network. The key cyber security threats building societies face in 2021 are phishing, ransomware, and business email compromise attacks:
- Phishing emails are sent by hackers, and they pretend to be from someone a victim trusts like their bank or a colleague. Their goal is to convince the victim to do something which they can use to their advantage, such as click on a link to a malicious website or provide login and other personal details. Phishing emails are one of the main methods hackers use to deploy ransomware and business email compromise attacks.
- Business email compromise attacks target employees within an organisation by sending spoof emails which fraudulently represent senior colleagues or trusted clients. The emails use social engineering techniques to issue illicit instructions, such as approving payments to hackers’ bank accounts or releasing confidential client data that can be leaked on the Dark Web.
- Ransomware’s primary aim is to extort money from organisations and individuals who are infected. It achieves this by encrypting files that are saved locally and on shared drives connected to affected machines and then threatening to leak stolen confidential information onto the public internet. Once files have been encrypted, the user is notified and asked to pay money, typically in cryptocurrency, in order to obtain a key that will unencrypt the files.
In order to maintain your building society’s operational integrity in 2021, you will need to minimise risk as far as possible when it comes to these three pernicious threats.
What Are the Types of Damage Building Societies Can Suffer?
Phishing emails, business email compromise attacks and ransomware are all on the rise. But how can we start to think about the threat to your building society and its members in real terms? At Six Degrees, we tend to talk about financial, operational and reputational damage.
- Financial damage. Most obviously, and probably top of many people’s minds, is the financial damage caused by a successful cyber-attack. As we demonstrate in our new eBook, the financial damage from a ransomware attack can go far beyond the ransom itself – should you choose to pay it.
- Operational damage. Strong engagement with members – and the robust people, processes and systems that sit behind them – are key to the successful running of any building society. A successful cyber-attack can cause significant operational damage, as your building society will be unable to interact with members and your people will be unable to communicate, collaborate and deliver as they usually would.
- Reputational damage. Reputational damage may seem a little more theoretical than financial and operational damage, but it is equally as significant. A successful cyber-attack can cause significant reputational damage, leading members and associated organisations to question their trust in the building society’s ability to operate and manage its data securely.
One cyber-attack, three kinds of damage. None good at all. So how can you protect your people and your members?
Further reading: In our new eBook, we take you through the hows and the whys of adopting a cost-benefit approach to cyber security. Download it for free here.
How Can Building Societies Protect Themselves and Their Members?
When it comes to protecting your building society and its members from the negative impact of a data breach, unfortunately there is no magic bullet. At Six Degrees we talk about the need to have ‘defence-in-depth’ by aligning your building society’s people, processes and systems. Here’s what we mean by that:
- Your people. Your people are your first line of cyber defence. When they are trained in cyber security best practices and aware of the latest cyber threats, your people will complement your processes and your systems and manage data in a manner that protects your members’ personally identifiable information (PII).
- Your processes. Processes are equally as important as the people that follow them. Hackers will look for loopholes in your processes that they can exploit, especially where the appropriate diligence is not paid. Ensure your processes have the right diligence measures built in to prevent hackers exploiting any areas of weakness.
- Your systems. Of course, your systems are an essential element of your building society’s cyber security posture – especially in today’s cloud-based, agile working world. Securely configured and maintained systems are an essential element of your building society’s cyber security posture, reducing your attack surface and minimising risk.
It is by combining these three elements that you can protect your building society from financial, operational and reputational damage of a data breach. But where to start?
Avoid the Operational, Financial and Reputational Damage of a Data Breach
So, how can you protect your people and your members? Well, we’re sorry we can’t just point you towards an off-the-shelf product that will cover this for you. Cyber security is a journey, but the good news is that – wherever you are on that journey – there are logical steps you can take to minimise the risk of becoming the next high-profile victim of a data breach.
Through our Aegis Cyber Security Maturity Assessment, we conduct a comprehensive cyber security maturity and benchmarking assessment, delivered and managed using a consultant-led approach that provides you with point-in-time or ongoing visibility into your organisation’s security posture.
Further reading: Building societies need to compete for members with retail banks, often without the same access to funding. Digital transformation to secure cloud computing is the clearest path for building societies to not just keep up but lead the charge to deliver exceptional banking services that delight members. Download our eBook to see how leveraging the time and resource-saving capabilities of cloud technologies will benefit your building society.