Many of the high-profile data breaches and attacks of the last 18 months have been caused by third parties. Despite capturing the attention of the nation, more attacks continue to make headlines. This includes the recent MOVEit hack, which involved a seemingly simple file transfer application impacting the data of over 200 companies around the world.

The Australian Prudential Regulation Authority (APRA) recently revealed that even sectors as well resourced as the financial services industry have significant gaps in their cyber security approaches. It called out insufficient third party information security capabilities as an area of concern. Too often, employees are still opting for the comparatively minor efficiency gains of unapproved third party tools over following best practice.

As this trend continues, businesses need to ask themselves how accessible and actionable they are making these best practices within their organisations. Particularly in the finance sector, where regulations and red tape can be extensive, employees need to feel empowered and not hindered by secure processes.

Furthermore, executives and Board members need to recognise that these types of attacks and risks are not going to disappear on their own. In fact, due to the evolution of Shadow IT, these risks will grow exponentially if not approached proactively with preventative measures.

Removing the weakest link before it infects your business

The constant and extensive efforts that bad actors undertake to try and access or manipulate organisations’ information mean they will continue to look for gaps in a security approach until they are successful. For financial institutions, the incentive to keep trying is even higher due to the value and sensitivity of their data.

For many companies, the weakest link will not necessarily exist within their own technology systems, but most likely will be a third-party tool or technology used by their staff. It may be a video editing tool, cloud-based file-sharing app, content management system that helps to easily send mass personalised emails, or an accounting tool that is easier to use than a pre-existing legacy system.

While some employees may knowingly overlook internal processes and rules to adopt one of these tools to make their jobs easier, many will not realise they have done the wrong thing because using third party tools without due diligence may be a normal part of the company culture. Either way, businesses can remove significant risk from their business by stopping or monitoring the use of these tools before they access company data.

It should start with a company-wide mindset shift to seeing every tool, technology, process, and person as potentially introducing risk until proven otherwise. Based on this mindset, financial institutions can then design processes that ensure every risk introduced to the business via third parties is appropriately logged, analysed, and managed.

In most cases, this does not need to be a highly technical process and involves simple measures like equipping cyber security champions within each department with the right questions before escalating a potential risk to the IT or security teams.

For example, if the marketing team in a bank is experimenting with a new Web site management tool, it could be the cyber security champion’s role to ask if the tool has been trialled before, what kind of data is being shared with the tool, and whether it requires two-factor authentication to access. Based on the answers, the cyber security champion can then either make a note of what is being used for future check-ins, or alert a more technical expert to help make an assessment.

Industry regulations are not the whole answer

For heavily regulated industries like the financial services sector, there is often an assumption that following industry standards and regulations will suffice to minimise risk and keep an organisation secure. Unfortunately, industry regulations should be seen as just one part of the cyber security solution, and financial institutions need to take proactive approaches to truly mitigate risk.

For example, AI-based tools are currently being assessed by the federal government for their need to be regulated. Their ability to access and analyse masses of data in nanoseconds is an exciting technological evolution that can also introduces data risk. In some government agencies, there are now guard rails for using tools like ChatGPT and Bing AI, though anyone working in a highly regulated industry would know that by the time these kinds of guard rails are in place, there is a high likelihood employees have already been using these tools, and consequently introducing risk to the organisation, for some time.

As intriguing as trying a new technology or app can be, financial services businesses need to ensure they and their staff are not being distracted by seemingly quick fixes to tedious parts of their role. Executives and Board members who want to make the most of the latest technologies and unlock their productivity potential need to simultaneously be prepared for the cyber risk these tools could introduce if they are not appropriately assessed in advance.

It is important to treat every tool being trialled today as a potential threat for tomorrow to ensure employees can continue to innovate while your organisation is building cyber resilience.

Prashant Haldankar is Chief Information Security Officer at Sekuro