Protect, prepare and mitigate

Adapting to life in the coronavirus pandemic, means an increasing reliance on digital technology to enable both our work and social lives. That opens doors for cyber-criminals and they’re on the hunt for high value targets. Europol report a rise in criminals using the crisis to distribute malware and the organisation anticipates “an increasing number of attack vectors as a greater number of employers institute telework and allow connections to their organisations’ systems,”¹ Ensuring your cybersecurity policies remain robust enough to meet the challenges of the new ways of working is a business necessity.

“We’re all facing new challenges and for those of us in the banking and fiduciary sector, handling large sums of money, understanding the nature of the threat and how to deal with it is essential,” says Adele Bohlen, Head of Fiduciary Business, Barclays. “Whilst many of you will have well-established continuity plans, this situation falls outside even the most robust plans.”

Understanding the enhanced risk

It’s a distinction that Matt Charrett, Head of Cash & Liquidity Specialists, Barclays, thinks is key to understanding the enhanced level of risk fiduciaries are facing. “This is very much a contingent environment,” he says.

“Fiduciaries may not be moving to their disaster recovery sites; they’re having to move to their second or even third option, which is working from home, and they probably may not have planned for that in their disaster recovery process. That can create a lag in their ability to replicate the capability and controls of systems they use in their normal working environment – and that’s where we see enhanced business risk.”

Cybercriminals have been quick to exploit these vulnerabilities, says Phil Hancock, Barclays Fraud Team. “We’ve already seen various scams and cyber threats using COVID19 as a lure to encourage people to click on links that then install malware or spyware.” And, although these may be connected to a person’s personal account or device, the shift in the way we’re now working and the speed with which this has occurred, is enhancing the risk to business.

“Most fiduciaries will have invested in strong security systems and gateways to protect those systems. However, people working from home may be accessing those systems from their own devices. Spyware installed on a personal device, for example, can record keystrokes, which can then be used to compromise a secure location when the user remotely accesses it,” says Hancock.

Identifying the threat

Hardware issues aside, Hancock says that the biggest cyber threat currently is business email compromise, where an email account is hacked, and payment details altered. “Increased reliance on email, with a reduction in personal interaction, is behind this growth. Picking up the phone to check an instruction might not be as easy – either because calls aren’t being diverted, you’re not sure whether someone’s available, or you might even be reluctant to use your home phone.”

Fiduciaries can make an especially tempting target for this type of cyber attack. Firstly, they have a large network of clients, many operating multiple accounts, and secondly, the payment instruction is a step removed from the banking industry’s rigorous processes.

“What we’re actually seeing is that attacks are occurring not on the fiduciary itself, but on its clients and their suppliers,” says Hancock. “So typically, your client receives an email payment instruction from a supplier who has been compromised. The most successful scams now are where genuine email invoices/requests are intercepted and amended rather than new emails created. This immediately provides false comfort as you, or your clients may be expecting the invoice.

“With your client instructing you to pay it, you then instruct the bank. Even if the bank follows its procedures to verify that instruction from you, it will check out. What we need fiduciaries to do is verify the instruction by following a similar call back process with their client to check the original payment instruction (amount and beneficiary) was genuine, not just that a payment request was sent.”

How to reduce your risk

In fact, using the bank’s experience of managing the threat and applying it to your own client interactions is one of the key ways of stopping this type of cyber attack, says Charrett: “Aligning your payment controls with the bank’s controls by checking any payment requests against your own client records and verifying them with your agreed client contacts using agreed contact details is crucial.”

However, with the unique challenges presented by COVID-19 leading to minimal staffing levels and increased absence rates for many businesses, maintaining these payment controls is also important.

“Ensuring your online banking systems are up to date and that mandates have been reviewed and, if necessary, updated, so that we can verify instructions with the right people, is something we communicated very quickly,” says Hancock. “Having the same conversations with your own clients can help your business and theirs function as safely and smoothly as possible.”

Protecting yourself and your clients

So, what other ways can fiduciaries protect themselves and their clients from the growing cyber risk?

“The first and obvious way is to refresh and update staff on your homeworking and cyber security policies,” says Hancock. “We’re providing support for our clients to do that either through video-conferencing, webinars, or sending out literature. The next thing is to ensure you have a call back process in place, make sure it’s being followed and review whether that needs to be amended or updated.

“Being aware of the enhanced threat, you might also want to reassess thresholds for verification. The new confirmation of payee regulation launching this year will also help to firm up processes. From a banking perspective, we’re continually monitoring the threat and enhancing our systems to meet the changing nature of cybercrime, so, for example, we’re not just looking at individual payments or values, we’re also considering that as part of a pattern, making it easier to spot any divergence.”

“It’s about us all being extra vigilant,” says Charrett. “That may mean introducing extra controls or an extra layer of authorisation. Although it may slow things down, it could also mitigate your own and your clients’ risk.”

In response to the increased threat from cyber criminals exploiting the coronavirus crisis and the need for people to work from home, the National Cyber Security Centre published updated guidance on homeworking and managing the cyber challenge this presents. This includes:

• Setting up strong passwords for user accounts and using two-factor authentication if possible.
• Reviews of popular Software as a Service (SaaS) applications that you might be considering, such as Office 365 and Mailchimp.
• Ensure encryption is turned on and configured and that devices encrypt data at rest.
• Install mobile device management software so that data can be backed up, locked or erased remotely if necessary.
• Use a VPN and ensure it is adequate for an increased number of users.
• Consider disabling removable media such as USB drives.
• Review and update your ‘bring your own device’ policy, for example, creating minimum hardware and software requirements, and requiring strong multi-factor user authentication².

Managing cyber-security

Although the current rise in cyber criminal activity is exploiting circumstances beyond our control, managing today’s risks could lead to opportunities for better business in the future. Better ways of managing cyber-security can also provide multiple other benefits for businesses,  and include: removing a degree of human error through increased automation of processes and  systems making it easier to spot suspicious activity; greater use of VPN technology to create more secure system access and host to host connections providing direct communications.

“We all have a chance to reflect on how we can be smarter, more efficient, increase control and mitigate risk to enhance our operations and do things better in the future,” says Charrett. “Taking the experiences of different businesses across different sectors can help us learn what works in these situations. “In this way, we can reduce our risk of becoming a victim of cybercrime and turn it into an opportunity, ensuring something positive comes out of these dark times.”

Our experts are on hand to support your cyber-training needs through online seminars across a range of platforms. You can also find more information and guides covering cyber-security on our Fraud awareness pages. Speak to your relationship team today to find out more.