Protecting Financial Data: Cybersecurity Considerations for 2024

Cybersecurity for CFOs

Protecting Financial Data: Cybersecurity Considerations for 2024

Far from being just a niche concern for your IT department, cybersecurity is everyone’s business. This is especially true of finance leaders; not least because the operational, financial, and reputational consequences of a major data breach will inevitably land in your lap.

Is your business doing enough to safeguard financial data? What cyber considerations need to be front of mind when you introduce new workflows and technologies to aid finance transformation? As we move into 2024, here are the areas you need to get on top of…

Risks and repercussions: cybersecurity and financial data

Recent statistics suggest that the volume of cyber-attacks is increasing. The consequences of a breach are also becoming more severe. To illustrate this, here’s a snapshot of the current data protection and cybersecurity landscape:

Cyber-attacks are becoming more prevalent. According to SonicWall, there were 6.3 trillion intrusion attempts globally in 2022 alone. CPR indicates that last year there was a 38% year-on-year increase in the global volume of attacks.

This broad trend is expected to continue, as demonstrated by the stats linked to ransomware attacks (whereby threat actors block access to data or systems to extort money from their victims). In 2021, it was estimated that someone somewhere falls victim to a ransomware attack every 11 seconds. By the next decade, it is predicted that every two seconds an individual, business or device will be attacked.

Financial data is particularly prone to exploitation. The vast majority (95%) of security breaches are driven by financial motivations, with around 65% of threat actors thought to be linked to organised crime. According to IBM, customer personal identifying information (including personal financial data) was the most breached data record type in 2023. This category of data compromise made up 52% of all breaches.

Data breaches are increasingly costly for your business. In 2023, the global average cost of a data breach was USD 4.45 million – 15% higher than in 2021. Of all data categories, customer personally identifiable information costs businesses the most when breached: USD 183 per record on average. 84% of businesses hit by ransomware experience lost revenue. Around 40% of companies will lay off employees as a result.

Building a culture of security in finance

More than a third of all data breaches involve phishing, whereby criminals use fake messages (usually emails) to dupe users into downloading malware, giving away information, or executing fraudulent transactions.

This fact helps explain why even the world’s largest and best-resourced enterprises still get hit with catastrophic security events. Your business may already have firewalls, intrusion detection, anti-malware software, and a host of other cybersecurity measures in place. But if an unsuspecting employee clicks on a malicious link or downloads something they shouldn’t, those basic breach-prevention measures count for little.

The finance function is not only seen as the financial gatekeeper but also the place where lots of sensitive, exploitable data resides. As such, your finance team presents a particularly attractive target to phishing scammers. This includes so-called ‘spear phishing’ and ‘whale hunting’ exploits, whereby criminals deliberately identify and target key business insiders with heavily personalised (and often, very convincing) fake messages.

Action Points for Finance Leaders

It can be easy to regard cybersecurity as “not my domain”, or “something that the IT people take care of”. It’s almost certainly the case that your team members have been provided with the company’s safe usage policies. But to what extent is there a culture of compliance – and how much oversight do you provide?

Individuals tend to be the weak point in the cybersecurity chain. You can mitigate this with effective, relevant security training – including, for instance, simulations replicating real-world attacks. You can only build a culture of security compliance if your team members are fully aware of what’s expected of them – and why it’s important.

Hardwiring security into your finance transformation strategy

One current and ongoing area of focus for Millennium Consulting is helping its Unit4 Financials by Coda customers to transition from an on-premise to Cloud-based software instance . Already, these customers are leveraging the benefits of Cloud deployment, including quicker access to new functionality, ease of maintenance, and lower cost of ownership.

For many finance departments, a shift to the Cloud is just one element of a wider transformation strategy. Initiatives such as automating core processes, and adoption of advanced analytics have obvious benefits in terms of boosting your decision-making capabilities and staying ahead of the competition.

However, it is also worth bearing in mind that your finance transformation will have inevitable consequences for both cybersecurity and data protection. For instance, if you are shifting sensitive financial data to the Cloud, can you still ensure that your compliance obligations governing data storage and transfer are being met? To what extent will new tools and changes to your data architecture (particularly around data integration) alter your vulnerability to cyber-attacks?

Action Points for Finance Leaders

Let’s say you are weighing up a range of software vendors and deployment options as part of a process optimisation initiative. You’re focused on the essentials (e.g. functionality, ease of integration – and not to mention cost). But where does cybersecurity fit in the decision-making process?

Security considerations need to be part of your deliberations right from the outset – rather than it being something your IT team thinks about after procurement decisions have been made.

Some initiatives – e.g. increased data integration and the shift to the cloud – may require your technical team to touch on areas of cybersecurity knowledge that they are unfamiliar with. What will be required in designing and implementing a robust security architecture for your new cloud environment? What additional skills will you need to bring onboard, and what will be the likely costs involved?

External expertise can be highly valuable, both for making ‘secure-by-design’ procurement decisions, and for implementing the changes necessary to secure your new environment.

Maintaining visibility across a complex IT ecosystem

Both in finance and across the wider business, one of the longer-term consequences of the pandemic is that many employees have much greater leeway in when and where work gets done.

Following on from this, Gartner has recently picked up on a trend of what it calls “radical flexibility.” In other words, employees in 2024 often crave much greater flexibility in deciding how work gets done – including their choice of tools for the task at hand.

So, what might this mean for keeping financial data secure?

Well let’s say one of the finance teams needs a better way to visualise and present some data, or a tool to manage a new regulatory requirement. A decade or so ago, this would probably have meant contacting their manager. A solution would be sourced; IT would then check that it’s safe before installing and configuring it.

Fast forward to the present, and an employee can bypass these steps altogether. They have an issue; they find something suitable on the app store, sign up using the company’s details – and the problem is solved.

This gives rise to the issue of shadow IT; whereby software or other assets are added to an enterprise network, without IT knowledge, approval, or proper oversight.

This can be wasteful, with multiple employees potentially signing up for the same or very similar tools (one estimate suggests that the average enterprise wastes over £105,000 annually on duplicate/unnecessary license spending). It can also give rise to multiple security and governance risks. Assets from untrusted – or even malicious – sources can easily find their way into your network, and sensitive data could end up being processed, stored, or exposed in a way that significantly increases the chance of a serious data breach.

Action Points for Finance Leaders

In part, the potential risks associated with shadow IT can be mitigated (once again) with comprehensive employee training, including clear policies to prevent the use of unauthorised apps across your network. This should be accompanied by IT asset management processes and licensing management tools so that IT can maintain a clear and complete view of the applications in play across your IT environment.

Alongside this, if you want to prevent employees using unsanctioned workarounds for business-related problems, finance leaders need to ensure that employees have the right tools for the job. For instance, are you still relying on unwieldy legacy technologies for close & consolidation and other time-consuming tasks? Are there better ways to handle new IFRS requirements? Is there a user-friendly solution out there for visualising data?

If you can address these types of problems, the need for employees resorting to shadow applications is effectively removed.

What next? Making the right choices for safeguarding your data

There is no quick fix for eliminating cybersecurity risks. The right mindset to adopt is often described as the “assumed breach” stance. In essence, this involves acknowledging that breaches will happen and putting the right range of measures in place to protect your data and your business accordingly.

So what measures are appropriate for your business? This is where Millennium Consulting can help. Combining expertise in both cybersecurity and finance transformation, our consultants can review your existing processes, identify your weak points, fill in any skills gaps you may have, and ensure the implementation of a cybersecurity framework that’s tailored to your specific needs.

Find out more

NIS2 is on the horizon

Cyber

NIS2 is on the horizon

On October 17th 2024, NIS2 will replace and update the older NIS (Network and Information System) regulations. NIS regulations for the EU and UK improve cybersecurity and cyber resilience across critical systems and infrastructure.

The EU has refreshed and expanded the scope of NIS in NIS2. If you provide any of the following services in the EU or your business offers Infomation Technologies services or products to an organisation in scope, you will want to check your business is compliant.

*The UK is still reviewing its own NIS regulation.

[ycd_countdown id=87642]

Sectors covered by the NIS Directive


Transport

Banking

Financial markets

Drinking water

Digital infrastructure

Energy

Health sector

Understanding NIS2


NIS2 is a set of regulations designed to enhance the cybersecurity of critical infrastructure and digital services across the European Union. Building upon its predecessor, NIS, NIS2 emphasises risk management, cooperation between Member States, and protecting essential services against cyber threats.

The NIS2 directive matters for several reasons:

Cybersecurity is a growing concern:

With cyberattacks’ increasing frequency and sophistication, bolstering cybersecurity measures has become paramount.

Protection of critical infrastructure:

NIS2 aims to protect critical infrastructure such as energy, transport, healthcare, and financial services. A successful cyberattack on these sectors could have devastating consequences, making NIS2’s provisions essential.

Cross-border collaboration:

NIS2 encourages Member States to collaborate on cybersecurity matters. In an interconnected world, cyber threats know no borders, and cooperation is vital for effective defence.

Extended scope for the NIS2 Directive


Postal & courier services

Manufacture of certain critical products

Water waste management

Public administration

Manufacture, production and distribution of chemicals

Providers of public electronic communications networks or services

Digital services

Food production, processing and distribution

Research

Space

Digital service providers

The countdown begins


With the NIS2 deadline just one year away, now is the time to take action. Here are some steps you can consider:

Assess your compliance:

If your organisation operates within the EU and falls under the scope of NIS2, thoroughly assess your current cybersecurity measures. Identify gaps and areas that need improvement.

Seek expert guidance:

Consider engaging cybersecurity experts who can help you navigate the complexities of NIS2 compliance. They can provide valuable insights and recommendations tailored to your specific needs.

Develop a compliance strategy:

Create a roadmap for achieving NIS2 compliance within the given timeframe. This may involve policy updates, technology upgrades, and staff training.

Stay informed:

Stay updated on any changes or clarifications to NIS2 requirements. Regulations can evolve, so you must remain informed to adapt your compliance efforts accordingly, find here. 

If you need any help regarding NIS2 compliance, Millennium Consulting offers Information security support, and if you are a Millennium+ customer, you can utilise your support time for this service.

Contact us

Safeguarding the Energy Sector and Beyond

Cybersecurity
August 2023

Safeguarding the Energy Sector and Beyond


As we fight to keep greenhouse gas emissions under control and keep household bills at affordable levels, new technologies will help the energy, utility and infrastructure sectors become more efficient and move toward Net Zero.

However, at a time when the energy sector should be taking advantage of these new technologies, it faces ever-growing risks from cybercriminals. These attacks, the protection measures used to combat them, and the legislation designed to protect everyone can heavily impact the adoption of new technology.

A look at current threats and opportunities will help business leaders in all sectors see the need for a cybersecurity outlook when introducing new technology safely; this expertise can also help you get the most out of a project.


Supply Chain Risk: SolarWinds and MoveIT

Take all the hardware and software that runs your business (unless you build and develop everything in-house). You will buy some of these as goods and services from other companies, this is your technology supply chain and in doing so, potentially expose yourself to vulnerabilities out of your control.

So, an attack directed at your company only needs to find the weakest link in your supply chain. Supply chain attack is not a theory; it is an ever-growing problem, especially if the vulnerability lets an attacker get ransomware in and data out.

The two most significant examples in recent years have been via Solarwinds product Orion (An IT administration platform with 33,000 customers) attack managed to push access for the attackers into an update. Now we have MoveIT, a managed file transfer program that is effectively still a breaking story in its scope and ramifications; victims include some of the world’s largest public and private entities.


Balancing the Internet of Things and Artificial Intelligence

Solution design is a balancing act, and some choices can be made with good intentions, typically to solve a problem, but result in unintended consequences. Unfortunately, some of the best solutions (IoT and AI) carry some of the greatest dangers.

Choices when building or buying IoT solutions need to be carefully managed; some devices carry slimmed-down low-power versions of operating systems and support software or do not have current hardware protections, making them vulnerable to many types of attacks that might now be a thing of the past in normal IT.

With everyone talking about Artificial Intelligence, the question of how we can use AI to solve our problems is increasing. From a development perspective, the ability of AI to write working code quickly might be a temptation for a pressured Dev Team. However, it again can introduce issues, as the bases for the AI’s learning include depreciated and vulnerable code.


The right tools: IFS FSM and IFS Cloud

IFS FSM has been named Gartner Field Service Management Magic Quadrant Leader for seven years. It provides an end-to-end service management solution, allowing companies in the energy sector to reduce the complexity of their IT supply chain.

In addition, IFS’s Cloud offering is designed to cut technical complexity and use inbuilt automation AI and IoT input to improve efficiency and workflow while being protected by IFS’s ISO 27001 compliance.


The proper support: Millennium+

Millennium Consulting has ISO 27001 accreditation and takes Cybersecurity and Cyber resilience seriously for us, our partners, and our customers. We also aim to make processes as efficient as possible, meaning less complication for cyber criminals to pray on.

Our Millennium+ service offers you peace of mind, as you can use your time to book any of our experts for any part of your business. Be it a cyber resilience review, help with a stalled implementation or a process review, or one of many other services we can help.

Get in touch

World Password Day 2023

4th May 2023

World Password Day


Started in 2013 by Intel, World Password Day is designed to raise awareness of the role strong passwords can play in securing our digital lives. Now more than ever, with the increasing frequency and sophistication of cyberattacks, it has become essential for individuals and organisations to keep up with best practices for password management. Although strong passwords are not a cure-all for making your organisation Cyber Resilient, they are still one of the best security measures. However, technology and cyber-criminals approaches are ever-changing, meaning advice can change over time.

Today we want to help raise awareness, not only on what is good advice for strong passwords in 2023 but also the reason why. So here are a couple of ways cyber-criminals get hold of passwords and how to defend against them.

In brute-force attacks, an attacker leverages high-speed computing power to try every character combination to break a password or password hash*.

Hive systems’ research gives an idea of the time frame to brute-force a password with that year’s technology. According to their 2023 table, the time to break a complex (numbers, upper and lowercase letters, and symbols) 8-character password in five minutes, and a 14-character complex password should take 1 million years to brute-force.

So, the longer a password, the longer it can take to be brute-forced; the same goes for the complexity of a password; the same 8-character long password, just using lower case could be brute-forced in less than a second, and a 14-character password in about a year.
Consider the growth of computer power and access to powerful cloud computing instances and think ahead; the same 8-character password now down to 5 minutes would have taken around 8 hours to crack six years earlier.

So, to defend against brute-force attacks, a password should be long and complex.

*Passwords do not usually get transferred across a network or the internet; typically, an application converts the password using a special one-way algorithm into a password hash, so the password-checking function only checks that the received password hash is the same as the stored password hash.

Phishing is where an attacker deceives people into revealing information or performing an action. A phishing attempt could be simple (designed to capture the one person in a thousand who doesn’t spot the danger) or complex and very carefully targeted (even security professionals fall for phishing!). One purpose of phishing is to lead people to fake login pages that harvest their passwords.
Keyloggers come in many forms and have legitimate uses. Still, in this context, an attacker might use malware to read and store all the keystrokes on a computer, capturing passwords and sensitive information.

Passwords gained from phishing, keyloggers, and breaches all tend to find their way into large password lists, used to either speed up brute-force attacks (dictionary attacks) or can be used to speed up the breaking of password hashes.

A compromised password is likely to be used in further attacks; if associated with an identity (an email, for example), any related accounts could be in danger if they use the same or similar passwords.

A good defence against compromised passwords is to use a new password for every account. It will not save the breached account but protect your other accounts.

Enforcing a password policy across every account a user needs to do their daily jobs is almost impossible. It is also difficult for users to remember multiple 14-character complex passwords. Users may use bad practices, like a breach of policy, reusing passwords, writing passwords down next to workstations, or saving them in documents.

  • There are lots of ways to help users and defend against bad practices:
    Help users by using single sign-on (SSO) services with an account that can use them and password managers for everything else. These will help users have different and complex passwords*
  • Consider scraping regular password updates; they encourage enumeration (adding a number to the previous password); this is almost as bad as reusing the same password, as many dictionary attacks will enumerate previously breached passwords. Save the password resets for when passwords are compromised or forgotten.
  • When single sign-on and password managers are unavailable, one option is to advise users to use the three random words technique, which uses three random words to build a password, using symbols and numbers in a way that is easy to remember. This middle ground will generate long, complex, and easy-to-remember passwords, protecting against basic brute-force attacks but could speed up specialised dictionary attacks.

*There is a danger here that these systems if compromised, can result in multiple account compromises. Most single sign-on and password managers have extra layers of security built in because of this. Still, users should ensure they use a strong password for the master account when using single sign-n and password managers.

Takeaways


Individuals and organisations can enhance their cybersecurity by following these best practices for passwords and password policies:

  • Use single sign-on first and foremost
  • Create long, complex passwords (14 characters with symbols, numbers, and upper and lower case); store them in a password manager
  • Use the three-word technique when no password manager is available, and you believe you may forget the password
  • Always use a new password with every account
  • Changing passwords should be reserved for compromised or forgotten passwords

In addition to the above, the following best practices can complement strong passwords:

  • Enable multi-factor authentication where you can
  • Regularly check the current password advice as it changes over time
  • Regular security reviews or audits
  • Education and awareness training, understanding why something is a good idea, means people are more likely to comply
  • Tailor your policies to your organisation. The above is good general advice, but something more specific might suit your organisation better

Further up-to-date advice can be found at: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.

Each year on the first Thursday in May, World Password Day promotes better password habits and provides a timely reminder to evaluate our cybersecurity. If you need any advice, please get in touch. If you are a Millennium+ customer, hours can be used to access our Cybersecurity expertise.

Find out more

Building Cyber Resilience for 2023 and beyond

November 2022

Building Cyber Resilience for 2023 and beyond

A guide for business leaders

  • Cyber resilience defined
  • The current threat landscape
  • Barriers to resilience
  • Building resilience: steps to take

Read the white paper

There was a time when cyber was seen almost exclusively as an IT concern. These days, cyber security and risk management need to be viewed as a board-level issue, directly impacting finance, compliance, operations, customer relations – and indeed, every corner of the business.

The cyber security basics – measures such as systems protection, security infrastructure, user controls and safe data handling – are as crucial as ever. And as threat actors and their methods evolve, there will always be the need to ensure your cyber security toolkit is fit for purpose.

But alongside cyber security, it is also vital to focus on cyber resilience. This is the realisation that – try as you might – not every threat can be stopped and not every risk can be entirely mitigated. Resilience describes your ability to anticipate, prepare for, withstand, respond to and recover from whatever may be around the corner.

Read on to have a closer look at the need for resilience in the context of the current threat landscape, the barriers to it, and the steps required to build it.

Continue reading