Steven Jupp touches upon the need for cyber security improvement amongst the finance world

Words by Steven Jupp, CEO at Avem Capital

Having spent most of my life working with technology companies, firstly as a hobby, then as a career and finally as an owner, I have seen many changes in businesses perception of cyber security. Coupled with these changes there have been a variety of advances in the methods used to hack, crack, phish and infect technology based systems. In today’s world it has unfortunately become commonplace that we are facing an ever-growing threat from an increasing scope of technologically focused criminals.

As we are seeing in the physical criminal world, the world of cybercrime is increasing rapidly in line with the opportunities it creates. It is evident that these prospects are not only for those using technology to enrich their daily lives, but also for criminals exploiting its use. In a world where businesses can be brought to their knees within minutes or held ransom to large financial demands, one would expect a financial firm to adopt the highest degree of logical security to match the physical building’s security. I myself have witnessed horrific networks, bolted together by inexperienced IT engineers or even admin staff.

Attaching just about everything possible to a so-called, secure cyber security infrastructure. I started writing this article a few weeks prior to the WannaCry ransomware propagation of the internet of everything. Poorly patched and out of date operating systems were the cause of a global outbreak, of which many in the logical security sector would deem ludicrous.

On several occasions, I have come across previous ransom operations, whether directly attacking a corporation, or worm type attacks as seen with WannaCry. Aside from the ones reported in the press, there is also a perturbing trend on the number of hidden attacks, not disclosed to public by corporations. This was reported by numerous security officials, including myself, as far back as 2008 and then through the Securities and Exchange Commission of the US requesting disclosure in October 2011.

Some now argue that companies keeping these attacks secret may lead to quicker fixes, but I would consider them to be protecting their entities from reputational harm. In some guises, there is obviously a need for the consideration of secrecy, but I would argue that in the world of finance, where regulation is increasing, the disclosure of such attacks is paramount to the client’s financial integrity. Previously, most disclosures have been based on identity theft, account details and even the recent 191 million US voter registration records loss. However, with a new world of financial gains being made through ransom, we now enter a potentially catastrophic situation whereby a hedge fund or financial institution is held to ransom by organised crime. If the company is made to report the attack immediately, they could complicate/elongate the process of strengthening their cyber defence systems. Leaving the attack undisclosed however, could lead to a further attack of other firms.

There is currently an unhealthy wave of patchy laws and regulation globally. This has led to mainly voluntary sharing of threat information. The governments of the world need to act at a quicker pace or the financial sector risks being a “cherry to pick”. The finance industry is fast becoming a rich flavour for the organised and even less organised crime syndicates around the globe, and our collective efforts are required to detract anyone who thinks they can benefit from this.