- Professional Services
By NCSC data and the MITRE ATT&CK framework, we know what actors target financial organizations and what commonly used tactics, techniques and procedures are.
We provide support with implementing cloud security in line with European Banking Forum.
As part of the first wave of TIBER-NL, Secura has good grasp of TIBER-EU and maps results on the MITRE ATT&CK framework to support further blue team training.
Realistically however a substantial amount of data breaches happens via internal actors (about 1/3) most often caused by misconfiguration or an error. About 2/3 of breaches comes from external actors led by financial motivated organized crime. Most initial entries happen via a web-application attacks or simple error in systems (misconfigurations). Preventing a hacker to transfer money from your accounts, steal your confidential data or overcoming large-scale DDOS attacks is key to maintain customers’ trust. You have to remain on the forefront of security to protect against the inside and outside threats. Key areas to win in the CIS baselines are: 1) Security awareness amongst employees (CSC 17), 2) Boundary defense (CSC12) and Secure configurations (CSC5 and CSC 11).
The financial world is regulated through specific law, regulations and joint organizations. For instance:
All these regulations include security requirements and requirements to audit, test, and provision of proof that the risks are reduced to an acceptable level. In many cases, the bar is set high. Requirements are extensive and stringent, and there’s no winging it.
From testing physical ATMs to creating money by tweaking exchange rates, from highlighting insight into all your pension recipients to hacking your mobile app or from doing an insurance company TIBER exercise to testing your new cloud solution link to the SWIFT network, we would welcome the challenge. We can help you to improve the maturity level of security within your organization and the security of your products and services. We can help you with a variety of (compliance) testing & auditing. We do this by offering the following services.
Cases of phishing and social engineering are often the initial step in larger cyber-attacks and proof that even established organizations with Chief Information Security Officers (CISOs) and a Data Protection Officers (DPOs) in charge of security, have to face the reality that the human factor remains a critical one. Employees have access to sensitive data and exchange important files. Even though they might have the knowledge and be aware of security aspects, to get them to behave accordingly requires a comprehensive security awarenesss & behavior program.
From a process perspective, most financial institutions have processes and controls in place as defined in ISO 27001 or COBIT next to Best Practices from the DNB as well as full-blown security integration in the CI/CD processes. Assurance over their effectiveness, from GRC levels of organizational control down to the operational control level, requires state-of-the-art audit capabilities with in-depth security knowledge like Secura has.
For organizations in the financial sector, security management for vendors and partners is key. This holds for cloud service providers as well as software providers as well as the cleaning company for example. When your suppliers have a less rigorous security approach, this can put you at risk. Security needs to be part of vendor management.
With the huge digital footprint financial organizations have, this requires continuous updating and patching of your systems to stay ahead at all times. All sorts of cloud and mobile app solutions are combined to offer ever-better services to customers, however they have to be safe. Not only do each of these systems need to be (pen)tested separately and checked for vulnerabilities, often the true risks hide in the grey areas between the various platforms. Even with reputable SIEM/SOCs in place, these control systems cannot be trusted blindly. Our Red Team thoroughly assesses security with detail (including social engineering), while our training courses support your team to learn how to incorporate security independently.
Cybersecurity is more than technology alone. Secura collaborates with partners in compliance and risk management, integrated application security, privacy, IT- and internet law and certification.