An expert and a "professional hacker" explain how cyberthreats happen, how to look out for them, and what firms such as wealth managers should do to be on their guard.

Given the current heightened tensions around geopolitics, it is easy to overlook that even in supposedly calmer times, cybersecurity is a risk that wealth managers must consider and act upon. 

The following article comes from Dave Gray, VP for Europe, Middle East and Africa at Protegrity, a data protection platform provider (see a related article by this publication here), and Glenn Wilkinson, who is a “professional hacker” and speaker. The editors are pleased to inject these views into the public square and we invite readers’ responses. Email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com

The truth about cybersecurity is that it is almost impossible to keep hackers outside of an organisation, particularly as the cybercrime industry becomes increasingly sophisticated and their technology more advanced. Furthermore, once a hacker has broken through an organisation’s defences, it is relatively easy to move within the network and access information without being detected for days and even months. This is a significant concern for banking and financial services organisations, which house valuable sensitive and Personally Identifiable Information (PII). The goal of cybersecurity is to minimise the risk and the impact of a breach. Understanding the adversary’s mindset and activity is central to this.

A hacker’s motivation
Recently breached Black Basta chat logs provide a realistic insight into hackers’ structure and day-to-day life. Cybercrime is a business, with targets, quotas, and call templates. While the motivations for hacking can range from purely financial to nation-state and hacktivism, for many, hacking is simply a day job. The valuable intelligence here is that hackers seek the path of least resistance, the same as with any day job. This means that hackers seek opportunities to minimise effort and maximise output, which can include recceing a site and jumping onto the guest Wi-Fi or simply walking into an organisation and plugging straight into an ethernet cable. There is also an opportunistic element to their strategy, such as randomly checking for easily-exploitable weaknesses or seeking low-hanging fruit – which is often employees.

A new troubling development that achieves efficiency and simplicity is Ransomware-as-a-Service (RaaS), which is like a marketplace for buying access to compromised systems, or for buying custom ransomware, which you can simply deploy onto systems. This development is democratising hacking and expanding the cybercrime industry: meaning that for many organisations which process valuable data and essential services, a breach is a case of when, and not if.

Inside a hack
It is often a simple, mundane scenario that grants hackers access to an organisation’s system. For example, a hacker could search an employee on LinkedIn, generate their email, and contact HR with a message saying that they’ve been overpaid with a fake statement attached. If HR clicks the attachment, the hacker can access the system or deploy malware. Another example is parking outside an organisation and finding weak spots such as a server an intern previously set up for a test or a software vulnerability. Cybersecurity measures such as Zero Trust Network Access (ZTNA) and firewalls do delay a hacker’s ability to breach the network; however, when they get inside, the organisation is relatively vulnerable.

Once a hacker breaches the perimeter, the standard practice is to beachhead (dig down) and then move laterally to find the organisation’s crown jewels: their most valuable data. Within a financial or banking organisation it is likely that there is a database on their server that contains sensitive customer information. A database is essentially a complicated spreadsheet, wherein a hacker can simply click SELECT and copy everything. In this instance data security is essential; however, many organisations confuse data security with cybersecurity.

Organisations often rely on encryption to protect sensitive data, but encryption alone isn't enough if the decryption keys are poorly managed. If an attacker gains access to the decryption key, they can instantly decrypt the data, rendering the encryption useless. Many organisations also mistakenly believe that encryption protects against all forms of data exposure, but weak key management, improper implementation, or side-channel attacks can still lead to compromise. To truly safeguard data, businesses must combine strong encryption with secure key management, access controls, and techniques such as tokenization or format-preserving encryption to minimise the impact of a breach. A database protected by Privacy Enhancing Technologies (PETs), such as tokenization, becomes unreadable to hackers if the decryption key is stored offsite. Without breaching the organisation’s data protection vendor to access the key, an attacker cannot decrypt the data – making the process significantly more complicated. This can be a major deterrent to hackers.

How to outsmart a hacker
Another reality for organisations is that it is relatively easy for a hacker to evade detection. According to IBM, it takes organisations an average of 258 days to identify and contain a breach. This may not even be through an organisation learning of the breach themselves. They may be notified by the hacker or by a competitor who the hacker is trying to sell the stolen data to. IBM’s findings indicate that the window of detection is closing as 258 days is a seven-year low, however, this is still a significant amount of time for a hacker to become comfortable within an organisation’s system. This can mean that the hacker is constantly accessing fresh customer data and learning who’s within the ecosystem to breach the organisation’s supply chain.

To effectively deter hackers, organisations should focus on making attacks more difficult and less rewarding. If the effort and risk outweigh the potential gain, attackers are more likely to move on to an easier target. Implementing layered cybersecurity measures and a zero-trust framework strengthens defences. However, banking and financial institutions hold such valuable data that hackers will be more determined. To counter this, investing in robust data protection is a must rather than relying solely on perimeter cybersecurity. Organisations should ensure that even if an attacker breaches their systems, sensitive data remains secure – effectively rendering it useless to cybercriminals.