Latest News

Bad practice for financial organisations that will challenge cyber resilience in 2025

Technically, financial organisations could be well positioned in the coming year to better survive attacks such as ransomware if they weren’t compromised by historical silos and blinkered thinking. Both of which continue to prevent teams in security and operations from working together more  closely,  risking  time when responding to  the biggest crisis – a destructive cyberattack.

First, the good news. The security level of backup infrastructure has improved significantly in the past twelve months. Important features such as immutable storage are now table stakes and it looks hopeful that ideas such as using a zero-trust to protect backup infrastructures – which are targeted by both nation states in wider attacks and ransomware gangs – are coming on stream, too. 

The bad news: Unfortunately, most companies still aren’t building the right processes, integrations and shared responsibility models to handle such a devastating cyberattack in a manner that minimises impact on the organisation. This is why we will see successful ransomware attacks continuing to have a significant  impact despite the target organisations having invested heavily in the latest-and-greatest cybersecurity and IT tooling. The causes are as simple as they are revealing about our approach to preparing or, should I say, failing to prepare for a destructive cyberattack.

Financial organisations will continue to see recovery after a cyber incident as a Business Continuity/Disaster Recovery(BC/DR) issue: Many financial organisations see the unavailability of systems due to cyberattack as a business continuity and disaster recovery issue and often approach the IT team responsible for those traditional scenarios in isolation of the security teams. In those scenarios, root causes can typically be counted almost on one hand and are quickly determined: flood, fire, earthquake, misconfiguration, power loss or equipment failure. Resolution is as easy as an orchestrated mass restore. A cyber adversary can use any number of hundreds of attack techniques to get into our networks, escalate privileges, evade cybersecurity controls, persist, exfiltrate data and wipe or encrypt our data – and they’re constantly evolving the techniques for doing so. Actioning a mass recovery – without discovering how the incident manifested itself and how to mitigate the threat – by simply patching the vulnerabilities they exploited, bolstering controls to prevent future attack, removing the phishing emails in the recovered mail boxes, removing the malicious account and any other persistence mechanism, just lines the company up for a future disaster, rather than building-in resilience to future attacks. There are multiple instances where organisations have gone through an entire recovery process dozens of times, only to be encrypted within minutes of finishing the recovery.

A lot of time will continue to be wasted through a lack of collaboration: If operations teams continue to view security and IT separately, they will lose time and sleep during major IT crises, with every day of total failure costing both revenue and reputation, thus increasing the pressure to act. Operations teams should interact closely with the security teams instead and help them with the critical response process. Meanwhile, Security Operations’ focus should be on discovering how the attack manifested itself, and on informing the IT operations team how to security rebuild or recover and clean systems. Their communications and collaboration capabilities need to be rapidly restored to a trusted state after an incident and the platforms needed for response and recovery  integrated seamlessly.

Desktop ransomware simulations will continue to underestimate impacts: The reality of destructive cyberattacks is that many systems that are needed to communicate, collaborate, respond and recover may be impacted by the incident. I’ve been in incidents where door access controls, voice-over-IP, email, CMDB, systems containing contact lists & workflows and security tools, have all been impacted. We couldn’t get in-or-out of the building or even between rooms; calls from the press went unanswered, while the organisation couldn’t ring law enforcement, our insurance company or the regulators.It took days to locate trusted install media and configuration to rebuild services that aren’t production systems that deliver products and services. This is not acceptable, given that they’re the systems that enable  us to manage the investigation, mitigation, recovery and to comply with regulatory requirements.  Our business impact analysis and ransomware simulations need to include provisions for  for these systems. Organisation should establish an isolated and protected “Jump Bag” that contains all the important resources needed to manage the incident. From here, the teams can work together in an isolated cleanroom to restore systems, find attack artefacts, close vulnerabilities, track down break-in routes and use the knowledge to harden the perimeter defence. This response process takes longer, but it saves the company a lot of time because critical systems will, ultimately, be back online faster and more securely.

Immature financial organisations will leave a valuable security detection and resource untapped: organisations looking at backup and recovery through a purely business continuity and disaster recovery perspective fail to understand that there already is a lake of information with cybersecurity context sat inside the organisation: snapshots of systems across the entire incident timeline. AI-driven anomaly detection can provide high-fidelity, high-confidence signals of ransomware and wiper attacks, as well as malicious insiders. Threat hunting can take place that is completely passive and can’t be evaded by the adversary. Fast forensic examination of filesystems and the retrieval of artefacts continues to function even if the organisation has disconnected systems and networks for containment. Organisations can understand their regulatory obligations by classifying the impacted data store’s backup snapshots.  All of this can be integrated with the existing organisation’s SIEM and SOAR technology. The CIO has already populated this incredible resource for the security team; they just need to tap into it.

By not carrying this bad practice into 2025, financial organisations will save a lot of time, stress and money, as well as complying with new upcoming regulations like DORA and NIS2.