News in the Channel - issue #18

CYBERSECURITY FOR LEGAL AND FINANCIAL BUSINESSES

CONTINUED

one of the best resources to keep ahead of cybercriminals. “This is because ethical hackers find the most elusive and technically sophisticated vulnerabilities, which often fall beyond the scope of automated defences to ensure the safety of customer data,” he says. “Hackers’ skill sets diverge markedly from that of a typical IT professional. They have the distinct advantage of a hackers’ mindset – the ability to think outside the box and look at systems the same way a malicious outsider would. This enables them to spot vulnerabilities that typical cybersecurity professionals may overlook. “Most financial services industry leaders already working with ethical hackers agree that an internal security team can never replicate the creativity and man-hours being put in by ethical hackers on a bug bounty platform, who specialise in all kinds of areas.” Hugh Simpson, EMEA marketing development manager at Zyxel Networks, says that the cybersecurity needs of financial and legal professionals don’t differ much from those of other organisations. “Most companies in these sectors are small or mid-sized firms with have no real in-house IT expertise and limited budgets, so what these businesses need is enterprise level protection at SMB prices – and that’s exactly what we deliver with our unified security gateway family and through our Nebula cloud management.” Email concerns One of the most important areas of security concern for legal and financial companies is email. As Rachel White, MSP manager at VIPRE Security Group, notes, email remains the preferred vehicle of cybercriminals. “An analysis of over seven billion emails processed by VIPRE worldwide during 2023 highlighted that financial services (22%) were the most targeted sector by phishing and malspam emails,” she says. “Across sectors, email-delivered malware remains a favourite, increasing by 276% between January and December of last year. Additionally, attachments are growing as a threat. For instance, in Q4 of 2023, EML attachments increased 10-fold. Criminals are sending malicious payloads via EML files because they get overlooked when attached to the actual phishing email, which comes out clean. All these findings are potentially reflective of the financial services and legal sectors.” To combat this, for legal and financial firms of all sizes – but especially smaller

ones – layering on advanced email security and email threat protection is a necessity, Rachel adds. “Most professional services organisations tend to rely on Microsoft for email security, but in the current environment, the standard security safeguards offered by Microsoft are inadequate,” she says. “This is not to say that Microsoft isn’t focused on security – it’s just that ‘email security’, which is now a specialised area of security, is only a component of Microsoft’s overall security. “For example, unless a firm is purchasing Microsoft’s top-tier security package – which is expensive – the lower-tier licenses lack critical protections against impersonation and zero-day threats. Criminals exploit these gaps, knowing that firms prioritise cost savings through license selection. “Also, Microsoft uses third-party security intelligence feeds, which means that by nature, they are static. So, a delay between the company’s intelligence feed and security on the platform being updated could mean that an unattended threat (even for a day or two) could cause a successful zero-day attack. Firms need to adopt techniques like Link Isolation, which renders malicious URLs in emails and their associated web pages harmless. Similarly, to check for malicious attachments, sandboxing capability is a must, where the suspicious file is isolated in a ‘sandbox’ – i.e., a virtual machine in the cloud. “Similarly, for time-poor lawyers and finance professionals, layering on additional safeguards that prevent misaddressed emails is valuable, especially given that these individuals frequently share and exchange highly confidential and sensitive information. “Specialist email security solutions package all these capabilities to provide tailored and comprehensive measures. Firms in highly targeted sectors, such as legal and financial services, need to allocate budgets to robust and layered email security measures. Neglecting email security is a high-risk approach. If there’s a budget leftover, it should go into training staff to be the organisation’s human firewall!” Hybrid influence Another potential security risk is posed by hybrid working, although as Fiona notes, legal and financial businesses have generally been conservative when it comes to remote working due to the sensitive nature of their data. “Extending the security perimeter beyond the traditional office environment will expand organisations attack surface, especially when

Andrew Pattison head of GRC consultancy Europe

itgovernance.eu

Hugh Simpson marketing development manager

zyxel.com

Rachel White MSP manager

vipre.com

CONTINUED

www.newsinthechannel.co.uk

27

Powered by