A recent report from RPC has revealed that cybersecurity breaches in UK pension schemes increased by 4,000% from 2021/22 to 2022/23. Understandably, the announcement has raised serious concerns about the efficacy of financial service organization’s cybersecurity programmes. Although the reasons for cyberattacks on financial services are fairly obvious – potential financial gains, troves of sensitive data, and valuable supply chains, to name a few – the dramatic increase in attacks represents a general failure on the part of service providers to protect client data. In this article, we will explore the possible reasons for the increase in breaches and what organizations can do to protect themselves.
Explaining the Surge
The first and perhaps most significant factor contributing to the surge of pension scheme security breaches is the Capita breach, which occurred last year. Capita is an international professional services provider that boasts some of the world’s largest multinationals as its clients. In March 2023, the organization suffered a catastrophic data breach. Soon after, Capita admitted that the breach had exposed client data.
Although the Capita breach occurred towards the end of the time frame relevant to the RPC report, it likely was a major contributor to the surge. When a large organization suffers a breach, many of the organization’s customers will be affected. This is known as a supply chain attack. In this case, many of the pension schemes that recorded data breaches in 2022/2023 were likely breached because of the initial attack on Capita.
But we cannot place the blame entirely on Capita. These breaches could have been prevented if the affected pension scheme providers had basic cybersecurity measures in place. The data stolen from Capita is unlikely to have been enough to facilitate a breach on other organizations. So, it’s worth looking at what financial organizations, particularly pension scheme providers, must do to protect themselves from future attacks.
Combatting Attacks
Pension scheme providers, and all financial institutions for that matter, should consider the following best practices for protecting themselves from cybercrime.
- Robust Access Control:
- Implement strong access controls to ensure that only authorized personnel have access to sensitive financial data.
- Enforce least privilege principles, granting individuals access only to the data and systems necessary for their roles.
- Multi-Factor Authentication (MFA):
- Require MFA for accessing critical systems and data, adding an extra layer of security beyond passwords.
- Regular Patch Management:
- Keep all software, operating systems, and applications up-to-date with security patches and updates to address vulnerabilities.
- Firewalls and Intrusion Detection/Prevention Systems:
- Employ firewalls to control incoming and outgoing network traffic.
- Use intrusion detection and prevention systems to monitor for and block suspicious activities.
- Data Encryption:
- Encrypt sensitive data both in transit (e.g., during transmission over networks) and at rest (e.g., when stored on servers or devices).
- Employee Training and Awareness:
- Train employees to recognize and respond to cybersecurity threats, including phishing, social engineering, and malware.
- Promote a culture of cybersecurity awareness within the organization.
- Incident Response Plan:
- Develop a comprehensive incident response plan that outlines procedures for detecting, responding to, and recovering from cybersecurity incidents.
- Test and update the plan regularly.
- Regular Security Audits and Assessments:
- Conduct regular cybersecurity assessments and penetration testing to identify vulnerabilities and weaknesses in your systems.
- Perform security audits to ensure compliance with regulations and best practices.
- Vendor Risk Management:
- Assess the cybersecurity practices of third-party vendors and partners who have access to your data or systems.
- Ensure that they meet your organization's security standards.
- Data Backup and Recovery:
- Implement automated and secure data backup solutions to ensure data integrity and availability in case of data loss or ransomware attacks.
- Network Segmentation:
- Segment your network to isolate critical systems and data from less sensitive areas, reducing the potential impact of a breach.
- Security Monitoring and Logging:
- Establish continuous security monitoring to detect and respond to suspicious activities.
- Maintain detailed logs of network and system activities for forensic analysis.
- Regulatory Compliance:
- Ensure compliance with relevant financial industry regulations and standards, such as PCI DSS, HIPAA, or GDPR, depending on your jurisdiction and scope of operations.
- Cyber Insurance:
- Consider obtaining cyber insurance to mitigate financial losses in case of a data breach or cyber incident.
- Physical Security:
- Secure physical access to data centers, server rooms, and other critical infrastructure to prevent unauthorized access.
- Employee Offboarding Process:
- Develop a robust offboarding process to ensure that access rights are promptly revoked when employees leave the organization.
- Security Policies and Procedures:
- Establish and enforce comprehensive cybersecurity policies and procedures that address all aspects of security, including data handling, incident reporting, and remote work.
- Business Continuity and Disaster Recovery:
- Develop and test business continuity and disaster recovery plans to ensure operations can continue in the event of a cyber incident or natural disaster.
- Security Governance:
- Appoint a Chief Information Security Officer (CISO) or equivalent role responsible for overseeing and managing the organization's cybersecurity strategy.
However, it should be noted that each organization’s security needs are unique, and there is no one catch-all solution to cybersecurity. It’s incredibly important that each organization addresses its specific needs and understands its environment.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
