Graham Hooper: Target your biggest cyber weak spot – human error  

Passwords, processes and systems can only protect us so far and the human factor is often the weakness

7 minutes

It only takes a quick look at some headline facts and figures to ram home the significance of cyber-attacks within the UK financial services sector – although, in passing, ‘cyber’ may be the wrong word.

That implies something technical, systemically mystical, deep and geeky stuff – which is not always the case. As we will see later, it is much more about people and behaviours, rather than being outfoxed by a young, techno-genius working in front of a screen 24/7 and developing ways of hacking into the very heart of our laptops, tablets and smartphones by way of hyper-clever complex coding.

But back to those bare numbers, which make for sober reading:

* Action Fraud, the national police reporting agency, saw a 400% increase in Covid-19 scams up to 21 March.

* Risk advisory firm Crowe UK reckons tens of thousands of savers have lost more than £6bn over the years.

* APJ Solicitors estimates the average pension scam losses are £155,000.

* Last year, the Financial Conduct Authority (FCA) reported a 480% year-on-year increase in the number of firms targeted.

* In 2019, 174,798 people lost £317.1m to fraudsters. This compares with 114,707 people losing £138.4m in 2018 – increases of 52.4% and 129.1% respectively – so not only are the number of successful attacks going up but the average amount lost has more than doubled.

* Equivalent numbers for businesses were £138.7m for 2019, and £126m in 2018 [UK Finance] – the lower amounts possibly reflecting more robust systems.

Personal liability

By any measure, these numbers are staggering and reflect a fast-growing problem. Worryingly for financial services companies, the Payment Services Regulator found that two UK banks were only refunding 4% of lost money to victims. For those of us using internet banking and now working from home, if our firewalls and home security systems are not up-to-date, we may be personally liable for losses.

Retail Economics meanwhile reports that only 70% of users always use a password or PIN to protect tablets and smartphones. Asked to guess, I would have assumed the figure would be very close to 100%.

Working from home has exacerbated the problem – people’s home systems are often less robust and more ‘at risk’ than business systems. As such, most agencies are expecting increased attacks on people’s home systems, and through them, their businesses.

Biosecurity systems like fingerprint and facial recognition are not infallible. The technology is often the limiting factor – it is not detailed enough to pick up all the intricacies we have. In theory, our fingerprints should have something like a one in a 64 billion security level. In reality, it is currently around 1 in 50,000, according to a well-known smart device manufacturer. For its part, Cisco Talos has warned 3D printing can now render fingerprints redundant as they can be accurately replicated by machines.

Two close calls

These issues really only come home to roost when we, or someone we know, are personally affected. As an example, I am a trustee of a few trusts and have had two close calls recently. One of the trusts’ funds is run by a well-known UK DFM and its password to access valuations emailed to clients is different every day.

The problem is that the format is the same everyday so, once you know the format, you have access to any valuation 365 days a year. It is not a big jump to ask for the funds to be encashed and the funds sent to a third party’s designated account. It may have been picked up, but….

The second asset manager sent me an email, addressed and intended for someone else, which detailed new dealing dates and terms. Clearly, they then had to amend their terms with us to match those in the email.

One of the businesses I worked for had a request to encash some of a client’s portfolio to fund a purchase on a property in France. The company encashed the money as requested and sent it to the bank account that the client had stated … except that it was not his account. A hacker had intercepted the email trail and inserted their own bank account to which the company dutifully paid: Simple – money gone, upset client, large restorative bill to pay from the company.

All simple, straightforward real-life examples and, to be fair, entirely understandable. The UK Information Commissioner’s Office [ICO] has reported a 75% increase in data security incidents in the last couple of years and a remarkable 88% of those involved human error. More than a third of those were where data was being emailed, posted or faxed to incorrect recipients by mistake. So much for our young geeky hacker! We are, often, the architects of our own issues. Hands up those who have never done it.

Person-to-person verification

Passwords, processes and systems can only protect us so far and the human factor is often the weakness. What is really needed is something where the user decides the level of security they want.

For more than a year now, I have been using a person-to-person verification system that lets me set the level of protection I need. Importantly, from a personal user perspective:

* It is easy to use  – I do not have to do anything else other than to send a ‘normal’ email;

* I can set the level of security I want when emailing an individual. My ID verification question to them can be simple and, most importantly, unique between me and the intended recipient. I can even automate the process by sending an access code to their phone – apparently that is a smart way to add extra security;

* Significantly, it acts as an ‘aide memoire’ so if my email contains words like ‘investment’, ‘risk’, ‘account’ and ‘cash’ – words that I set myself – it reminds me I might want to send it securely given it contains information I might want to protect; and

* From a peace of mind perspective, I know I am sending information to the person I want it to go to – under protection to which the recipient and I alone have access – particularly in the case of communications with business organisations as well as, personally, my bank, fund manager, accountant, solicitor and estate agent.

Meanwhile, from a business perspective:

* It helps protect your clients and employees;

* It can act as a ‘sense’ check for employees before they press ‘send’ to help get that 88% human error number down

* It protects your company – especially in the context of MiFID II and GDPR;

* It can help save restorative client costs and PI claims;

* It has real ESG benefits that can act as a USP for businesses as well as shareholders and other stakeholders;

* It can give you a competitive advantage if marketed correctly;

* It helps build trusted digital networks within your business environment; and

* The ICO has been specific in its recommendations – communications should be encrypted and the recipient’s identity verified by the sender.

As a final note, from a senior management team perspective it ticks all the boxes: client service; IT security; regulatory expectations – FCA, ICO, GDPR, Mifid II, Dear CEO letter from FCA and so on; can save costs; protects employees; reduces reputational risk; can be used as a USP with clients, shareholders and other stakeholders; it is ESG-friendly; and it is simple and straightforward to use.

Graham Hooper is a business consultant with more than three decades’ experience in financial services

Five do’s and don’ts for directors losing sleep over secure communications

  1. Don’t lose your laptop, tablet or smartphone.
  2. Use more complex passwords than ‘123456’ or ‘abcdef’ – the stats are ridiculous for this kind of usage. Figures from the National Cyber Security Centre show 23.2m accounts were breached globally last year by using ‘123456’ as a password.
  3. Trust your intuition – if it looks too good to be true, it probably is.
  4. Build and develop your trusted personal digital network.
  5. Use a point-to-point personal recipient verified system – other systems are available.

 

MORE ARTICLES ON