Multrees Investor Services, a firm working with wealth managers and other financial groups, has this advice for businesses understandably alarmed by the latest computer virus outbreak.

The computer virus attacks that hit organisations and hundreds of thousands of computers around the world at the weekend continue to keep cybersecurity high up the wealth management agenda. Jaco Cebula, who is chief technology officer at UK-based Multrees Investor Services, examines how firms can improve their security. Multrees is an independent custody and consolidated reporting specialist for wealth managers and family offices, and has insights into the needs of such groups. This publication is keen to hear from wealth and family offices around the world - cybercrime knows no frontiers - about cybersecurity issues and how they intend to deal with the problems. Please email tom.burroughes@wealthbriefing.com 

The views of guest authors aren’t necessarily shared by the editors of this news service and it welcomes responses and comments. 

Cybersecurity threats have undoubtedly become more intense over the years and will naturally drive more and more of the attention and the budgets of businesses globally to focus on mitigating the issue. The most recent case of the WannaCrypt cyber-attack which affected over 150 countries is the best real-time example of the rapidity and the scale of the impact this can have.

The cyber challenge will remain complex and evolve rapidly, placing companies, particularly those dealing with vast volumes of financial data, under immense pressure. They must keep customer data safe and drive the need for constant innovation to maintain robust security frameworks and help minimise the risk of security breaches. 

Worldwide annual expenditure on cybersecurity software, hardware and services is expected to reach $101.6 billion by 2020 compared with spending of $73.7 billion in 2016, according to research from the International Data Corporation. 

While constant innovation is crucial in tackling the issue, the approach should also be a holistic one, involving people and an improved process of intelligence gathering, and sharing of that intelligence via more effective communication channels. 

The need to rapidly generate new products to survive in a highly competitive market makes delivering robust security controls extremely challenging. However, as the level of threats grow, it is crucial that banks become more open when it comes to their cyber strategy and work together as an ecosystem to combat the issue.

The more traditional "technical" approach to cyber security, while necessary, is not sufficient in itself to ensure that firms can minimise the impact of any attack. The majority of regulated firms will have controls in place to ensure that their IT security team is taking the necessary measures, such as keeping virus definitions up to date, patching servers, locking down firewalls, setting minimum required permissions, providing intrusion detection systems, and testing perimeter defences etc.

However, while the WannaCrypt ransomware attack has shown spectacularly that there are no grounds for complacency in these areas, it important to realise that many of the most effective measures lie beyond the realm of IT Security, and relate more to a less predictable area of vulnerability – an organisation’s people.

As a result, it seems pertinent to examine a number of key non-technical measures that demonstrate a number of ways that Multrees has tried to take cyber-security ‘out of the IT Security department’:

Online training – this should be a mandatory part of the staff induction, and the CISI online training catalogue which includes an introduction to Cyber Security, is a good example.

“Lunch and Learn” approach – this covered the main “social engineering” categories of Cyber Threats, and included real life examples, as well as reviews of actual attacks on Multrees and lessons learned.
Understanding of different data domains – it is vital that individuals understand where and how corporate data is stored e.g. local devices, corporate network, cloud etc., as well as the risks inherent in each.

Downstream supplier impacts – it is no longer sufficient to understand the impact of direct threats to your own organisation.  Effective supplier management of application providers (both on-premise and cloud based), infrastructure/network partners and B2B counterparties should include due diligence on security measures, as well as reporting and transparency around any attacks via service reviews.

IT “coding for security” – a myriad of online courses and certifications are available to ensure that all software developers have an awareness of how to build security into their software ‘from the ground up’.
Simulations – this does not have to be time consuming or costly, but it is vital that staff are aware of the procedures in the event of a “real world” attack. A simple spear phishing simulation which requires a little creativity and the creation of a dummy website, could provide an opportunity to analyse the responses, to target training and resources more effectively.  Ransomware is also  very easy to simulate and track with only a small amount of scripting.

Be aware of “patterns” in attacks - e.g. DDoS is often a cover for a more forensic data theft. It is important not to lose sight of the perimeter while dealing with the initial incident.

A key to getting buy-in to this activity is to understand that one will, inevitably, be the victim of some form of cyber-attack.

In 2016, Multrees itself was hit by a ransomware attack that was not identified by the mail scanner.  The effect of this breach, however, was minimised swiftly via appropriate user permissions, allied to effective segregation of the network, meaning that core databases and application files were simply not accessible. However, it is important to note that these technical protections would not have been necessary, had the offending email been treated with appropriate levels of suspicion and tighter scrutiny at the point of entry by the recipient. 

Being hit by a real-life attack, even one with minimal impact, can provide a timely wake-up call to ensure that cyber awareness is embedded in the organisation’s culture.

About the author: Jaco joined Multrees in 2013 as CTO; he has more than 20 years of specialised technology experience within the wealth management industry. This includes investment management software, systems integration and delivering operational improvements through automation. He leads the technology and change developments at Multrees.