“The management of cyber risk in banks is much more than an IT [information technology] discussion. We know from experience that the five most efficient cyber defenders are basic to any risk management solution. They are anticipation, education, detection, reaction and resilience,” Mr Cassar said.

Following Mr Cassar’s opening speech, Daniela Bagnaschi, Head of Data Management and Business Intelligence at the Malta Financial Services Authority (MFSA), drew ties between the MFSA’s vision and plans for risk mitigation in the cyberspace and elaborated on the crucial aspects of the triad comprising People, Process and Technology, as well as its impact on the cyber resilience framework of regulated entities.

“This event was an important one as it emphasised the need for wider stakeholder involvement in raising awareness on the various cyber risks in the banking industry, but also the financial services sector in general. Likewise, the involvement of all stakeholders is required in the mitigation of these ever-growing and evolving risks,” said Karol Gabarretta, Secretary-General of the MBA.

The association tagged the event as “successful” and one that “achieved its aims”. More than 100 participants attended the conference.

The post MBA calls for increased cybercrime awareness first appeared on The Malta Business Weekly.

The MFSA says that respondents received the proposed guidance notes on cybersecurity well, and they tagged the document as a “very thorough” that gives a clear overview of all cybersecurity practices.

Moreover, proactive monitoring ought to be more emphasised as it represents the pivotal element required to ensure that systems and networks are safeguarded in real-time, through intrusion detection measures that prompt alerts of any cyber threats, as the press release says. 

In addition, respondents emphasised that a Data Loss Prevention framework would be beneficial in tracking any movement of confidential data through and out of the organisation, in order to detect and flag any unauthorised disclosure of such data.

It was also underscored how the effectiveness of a privileged access management policy could work against critical lockout scenarios, according to the press statement.

The document outlining the guidance notes as published by the MFSA is available for public view on the authority’s website.

The post MFSA publishes new guidance notes on cybersecurity first appeared on The Malta Business Weekly.

The two most common hacking approaches a company or an individual can come across are phishing or whaling, according to the two experts.

Phishing most regularly targets individuals. Although it appears to be an email sent by a well-known service they use and asks for log-in credentials on a replica screen, in reality, the inputted data is transferred to hackers. Sometimes, these emails also include familiar attachments, that can penetrate a computer’s system upon opening.

On the other hand, whaling usually targets a small group of individuals – e.g. employees of a specific company – disguising to have been sent by either the CEO or a colleague, asking staff to transfer money or provide bank credentials. These eventually end up with hackers, who can get into the system of companies storing confidential data or compromise funds.

Human error

Citing IBM’s 2018 Cyber Threat Intelligence Index report, the experts say that 95% of the security incidents occur due to human error. Phishing emails that use social engineering – psychological manipulation of people – for deceiving the addressee can have a success rate as high as 70% for acquiring sensitive data, Mr Abela says.

Mentioning Kevin Mitnick’s experience – a reformed ethical hacker who decided to use his skills for moral actions after his prison sentence due to being caught for hacking –, the two experts say that phishing emails work because people can be easily be tricked due to their helpful nature and high levels of trust to avoid conflict.

Education and raising awareness

For keeping a firm stance in the storm of hacker attempts, a company should actively discuss the threats with its employees, the two experts agree. They also emphasise the importance of progressive education of the staff, as hacking attempts are getting more sophisticated by the day, and can hit a company or individual at any time.

As such, a company should develop a coherent cyber resilience strategy, be aware of the critical information assets that exist in the organisation, educate the workforce and partner network, embed good practices in the organisation, understand the staff’s knowledge and communicate more effectively, as well as understand how to respond to and recover from an attack.

Steps to be made include installing and maintaining secure firewalls and deploying up-to-date virus engines, password protecting internal Wi-Fi networks, having an incident management plan for a worst-case scenario, considering cyber insurance, checking physical site controls and paying ethical hackers to try and penetrate corporate systems, to see if any loopholes show up.

RSM conducted phishing tests to see how vulnerable employees are. They sent out more than 230 spoof emails in the health sector, asking employees to validate staff login. Some 37 employees clicked the link within minutes, and altogether 81 clicked by the end of the day, according to data published during the webinar.

Conducting a similar test with a financial services client, out of 142 emails, 44 users clicked the phishing link. Some 30% were successfully phished, 5% opened the email and ignored the link, while 65% did not respond to the email, the two experts say.

Webinar by RSM

During the public webinar hosted by RSM on March 12, Dr John Abela, Co-Founder, CTO and COO of Ascent Software joined RSM’s Sheila Pancholi, Partner and UK lead for the Technology Risk Assurance practice to discuss the various phishing tactics hackers use and ways for businesses to fortify security measures, implement processes and take practical steps to mitigate risk and minimise the impact of these kinds of cyber attacks.

“Phishing has been in existence almost as long as the email function itself. An unskilled hacker can easily trick you into submitting your credentials to a malicious site through an email that appears to be from a reputable source,” the description of the webinar says.

“But as technology advances, so do the skills of hackers. No longer satisfied with preying on small fish, hackers are now engaging in sophisticated tactics targeting businesses and discovering vulnerabilities. This is becoming especially common amongst the C-suite in attacks known as ‘spear-phishing’ and ‘whaling’. The reason is simple; CEOs and CFOs who may fall foul of these attacks offer top-down access to all business operations,” RSM adds in the webinar description.

Independent accounting and advisory firm RSM Malta is a member of the RSM network. The RSM network is administered by RSM International Limited, a company registered in England and Wales.

The post Businesses need to educate staff to counter phishing hack attacks first appeared on The Malta Business Weekly.