Research by Guernsey cyber risk experts has found that a third of financial services companies’ websites have ‘critical vulnerabilities’
A review of the websites of 69 financial services companies in Guernsey has found the vast majority are not secure. Global cyber expert Astaara, which conducted its research earlier this month, found 32% of websites had critical and 96% had moderate or critical vulnerabilities. Only 3 of the 69 websites reviewed were found to be properly built.
“This research produced some quite startling results,” said Robert Dorey, CEO of Astaara. “Almost a third of the sample tested had known unprotected weaknesses that rendered the site insecure, posing a risk to visitors or the hosting environment. Even those with moderate vulnerabilities are at risk of data corruption, or – at best – poor performance.”
The research took place as the deadline looms for Guernsey financial services companies to comply with new cyber security rules.
Astaara subjected all 69 websites to a battery of 37 standard tests which are designed to identify, categorise and score vulnerabilities in the websites design, build and security.
“These websites are their online shop window, and poorly secured websites can cause problems for visitors and potential clients, and damage firms’ reputations. It is your brand that suffers. Don’t let a poorly secured website tarnish your reputation and the trust your clients place in you.”
The findings come less than two weeks before the GFSC’s Cyber Security Rules 2021, come into effect on 9th August. Under the rules, financial services companies in Guernsey must prove that they have adopted – and are able to evidence – measures in five key areas:
- Identify: the risks, vulnerabilities, critical systems and key people
- Protect: adopt measures, improve processes and train people
- Detect: deploy processes and technology rapidly to detect anomalies
- Respond: to have the plans, tools and techniques to respond rapidly
- Recover: to be able to return to normal operations rapidly after a breach
Robert said that’s a common misconception that cyber risk is mitigated by outsourcing. “We recognise that many companies outsource their web hosting to third parties, and that the scores may not represent how well they secure their core systems,” said Mr Dorey.
“In many cases, third party website hosting makes good economic and business sense, but outsourcing does not eliminate reputational risk. If your website crashes, goes slow, is defaced or is hijacked by criminals who then attack your clients or your potential clients – these do not have to be expensive fixes.”
“Our Virtual Cyber Information Security Officer (VCISO) service will take a huge amount of pressure off boards, ensuring that they are compliant at a fraction of the cost of employing an additional FTE. We can help them prepare for board meetings pertinent to cyber, help them identify compliance gaps, and generate the evidence to prove compliance with the new rules,” said Robert.