The number of cybersecurity incidents reported by the UK’s financial sector mushroomed in 2018, driven by breaches, errors, and technical failures.
The number of events declared by banks and financial services firms rose from 69 in 2017 to 819 in 2018 – a spike of more than 1,000%.
Numbers obtained from the Financial Conduct Authority (FCA) by tax consultancy RSM show that high street banks accounted for nearly 60% of the reports submitted to the FCA in 2018.
The jump is understood to be partly driven by the implementation of GDPR, which obliges all organisations to report security breaches. But RSM says it also reflects the fact that the industry is increasingly under attack by cybercriminals and nation state actors.
Banks and investment houses are where money and financial secrets are kept, so it’s no surprise that their huge volumes of personal and financial data are a target for thieves and fraudsters
It’s worth pointing out that cyber-attacks only accounted for 11 per cent of the incidents reported to FCA. More commonly reported causes of data loss or system compromise were failed attempts to switch from one system to another, issues with software and hardware, and faults caused by third-party IT suppliers.
But those broader technical issues can open up vulnerabilities which cybercriminals know how to find and exploit.
Phishing attacks on finance firms jumped significantly, as did issues caused by human error – one of the most persistent causes of security breach.
Breaches in finance are on the rise
These latest figures echo findings released earlier this year by UK law firm RPC, showing the number of successful attacks on UK financial services firms had risen by 480 per cent last year.
Cyber criminals have seen a growth opportunity in financial services and they’re targeting banking systems with increasing frequency and ingenuity.
The potential losses exceed the costs of remediating a breach. With a growing number of challenger banks like Revolut picking up market share, cyberattacks could cost financial institutions customers.
Consumers already rate banks and others on how well or poorly they protect personal data. They will quickly abandon a brand following a major security incident.
Seven UK banks were forced to shut down their systems last year after attacks that cost hundreds of thousands of pounds to fix. Some of the biggest names were affected including Barclays and Santander
For a highly regulated industry like financial services, the penalties following a breach can be painful. Tesco Bank had to pay £16.4m in FCA fines after a cyber attack led to £2.26m being stolen from personal accounts.
RPC’s research also demonstrated that cybercriminals are targeting investment firms, believing their cybersecurity posture is even weaker than retail banks.
Cyber threats continue to evolve
Cybercrime groups are perfecting new infiltration techniques to get at the customer and proprietary data held by financial institutions. The arsenal of tools is expanding, and they’re looking for new targets.
According Kaspersky, cybercriminals are still very focused on banks, but are also identifying vulnerabilities in the systems of fintech companies, cryptocurrency exchanges, point-of-sale terminals, and ATMs.
Fintechs and crypto exchanges are thought to be vulnerable because their systems are new and ‘immature’ in cybersecurity terms.
For everyone else, some familiar attack vectors continue to be effective:
More than a third of phishing campaigns target the financial sector. The relationship of trust between banks and customers is leveraged by cybercriminals to trick customers into revealing their login credentials, payment card details, and other personal data.
Cybercriminals steal personal information to clone the identity of individuals and take over their financial accounts. It’s now a reality that whenever a customer creates a new bank account online, banks need to question whether they are who claim to be.
Synthetic identity theft occurs when criminals steal data to create a fictitious identity, and then obtain fraudulent access to accounts or credit. Some $355 million USD in outstanding credit card debt is owned by people who don’t actually exist.
In finance and elsewhere, attacks on UK businesses are growing
A study released in April by insurer Hiscox says The proportion of UK firms reporting a cyber-attack has already jumped significantly over the same period in 2018. A survey found 55% had faced an attack in 2019, up from 40% last year.
Average losses from breaches also soared from £176,000 to £293,000, an increase of 61%.
As finance and other sectors continue to get to grips with cyber risk, firms can minimise the growing number is cyber incidents with effective security awareness training, and creating a culture of security awareness.
Cybercriminals are locked in a long-term struggle with businesses where the weapons and tactics change monthly. Unless someone invents a box that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the safest route to secure systems.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.