The Financial Conduct Authority (FCA) has revealed that cyber resilience remains a top concern for most UK firms and that cyber weaknesses of firms are more pronounced in areas such as third party management, protecting key assets, identifying and managing high-risk staff, and educating employees with access to critical systems or sensitive data.
In its Cyber and Technology Resilience Report that assessed technology and cyber capabilities of firms of all sizes and from all sectors, the FCA noted that despite improving their IT governance standards, a majority of firms based in the UK are struggling with key issues such as managing their third parties, maintaining a view of what information they hold, and streamlining IT change management functions.
Failed IT changes leading to technology outages
Because of such issues, there has been a 138% increase in technology outages suffered by UK firms so far this year, alongside an 18% increase in cyber incidents. However, the FCA believes that not all cyber and operational incidents are being reported to it.
As per the report, between October 2017 and September 2018, UK firms reported a large number of technology outages and cyber incidents to the FCA, of which 91 incidents occurred due to failed IT changes, 70 incidents occurred due to third-party failures, 60 outages occurred because of cyber-attacks, 37 due to hardware errors, 26 due to human error, and 67 took place because of software/application issues.
As far as IT governance is concerned, even though most UK firms have reported that they have the most mature capabilities, small firms are still struggling with 16% of them lacking a nominated individual at Board or senior level with responsibility for technology resilience, 20% lacking an overall technology strategy approved by the board, and 26% lacking a board-approved information security strategy.
The FCA report noted that a large number of firms that are more complex or geographically diverse rely more on committees and other parts of their groups to form cyber strategies instead of placing the onus on senior managers or members of the board.
A lack of understanding of cyber risks among board members has also impacted the setting up of IT governance rules in many firms, with many of them struggling to accept the fact that managing cyber risks is not just an IT problem but one that is essential for all departments. This has led to many firms hiring third-party firms or advisors to strengthen their capabilities or to use training and simulation exercises.
Cyber resilience remains a top concern
Even though IT governance is no longer an issue for medium and large organisations that have people responsible for strengthening their cyber capabilities, cyber resilience continues to be a major issue with firms of all sizes.
According to the FCA, a large number of organisations are struggling in areas such as identification of key assets, services and people, including those provided by third parties, sharing information and detection of attacks.
The inability of firms in identifying key assets and data, maintaining a view of their third parties, and managing end-of-life assets is directly impacting their ability to secure such assets from cyber-attacks or to respond appropriately to the loss of such assets to unauthorised parties.
At the same time, the lack of monitoring of hardware and software assets that are nearing end-of-life by organisations result in technology outages, their vulnerability to cyber-attacks and higher risks for organisations.
The human factor
The FCA expressed concern over the fact that a large number of firms have been unable to identify their high-risk staff, e.g., those who deal with critical and sensitive data as well as those with privileged system access. Out of organisations that did identify their high-risk staff, only 47% provided additional cyber security training to such employees.
"This means staff may not be properly educated about, or prepared for, the increased risks that they will encounter in their roles. Given the prevalence of social engineering and phishing as a means of cyberattack, often targeting these roles, this presents a significant weakness. In many cases, this risk is compounded by a simultaneous lack of monitoring of staff activity, so firms are unlikely to detect anomalies in staff behaviour and subsequent activity.
"Many firms recognise there are threats posed by ‘insiders’ and consider these to be some of their most significant cyber-risks. However, in our broader supervisory work, we have seen only limited evidence of firms proactively seeking to ‘connect the dots’ between cyber and other conduct issues which may be enabled through cyber channels (eg market abuse and financial crime).
"The ability of any employee within the firm’s perimeter to either intentionally or negligently give rise to cyber-attacks emphasises the importance of embedding a ‘security culture’ which runs through all aspects of an organisation," the report added.