GFSC Announce New Cyber Security Rules & Guidance

Nick Toon, Group Professional services director at Sure discusses how the new GFSC regulations illustrate a determination to face cybercrime head-on, the five core security pillars that all businesses should be thinking about and why the Channel Islands are a uniquely safe place with an enviable reputation for data privacy, cyber security, resilience, and business continuity.

The Channel Islands have regulations in place to control investigatory access to data and information, and whilst separation from the EU and UK exists, they are recognised by the European Commission. This enables the free flow of data across the European Economic Area (EEA), and because of this, the islands are a very desirable destination for international organisations to locate their business operations.

Industry leading Cloud and Datacentre solutions offer flexible, scalable and compliant platforms for Enterprises to run and develop innovative products and services. The highest levels of security and connectivity provide direct, high speed, high capacity links to the UK and France, supporting our long-standing reputation as a leading business and financial centre.

But as Cybercrime becomes ever more sophisticated and global costs look set to reach $10.5 trillion by 2025, all economies are in the midst of an ‘arms race’ between criminals, businesses and governments.  

Malicious cyber-attacks are a daily occurrence and whilst everyone takes this seriously, research indicates that 60% of breaches had security safeguards that were not applied.

Against this backdrop, the Guernsey Financial Services Commission (GFSC), after consultation with industry, has issued new cyber security rules and guidance to uphold the international reputation of the Bailiwick as a finance centre of excellence.

The rules and guidance follow a logical, pre-established value-chain of services around the five core security pillars of: Identify, Protect, Detect, Respond and Recover.

Sure’s solutions and partnerships with ‘Gartner Magic Quadrant’ global security providers cover these areas in depth, and we continue to invest in our leading portfolio of services to provide the very highest levels of protection to our customers in the core areas of:

Identify
The logical first step in the process is the identification of risks that exist in your current protection arrangements. Vulnerabilities are both digital and human, and they are constantly changing. Board members of regulated companies with security responsibilities can be held liable if breaches could and should have been stopped. It’s important to accept that you can’t implement full protection without understanding the entire scope of what needs to be protected. We provide a range of vulnerability assessments and penetration testing to determine what you have, and what else you need, to safeguard your organisation.

Protect
Protecting your organisation across all areas of vulnerability with a range of services is essential, and we provide managed and professional services to support your in-house capabilities. Educating employees on best practice behaviour is just as important as the technology that provides intrusion and end-point device identification of malicious activity, along with the automated responses that quarantine and kill an attack stone dead. Stopping in-bound threats is essential, and it’s equally important to ensure valuable and sensitive information doesn’t leak out from your organisation, whether digitally or physically, through unauthorised data downloads and employee theft.

Detect
Detecting malicious activity and taking immediate steps to stop and remove the threat intrinsically links protection and detection. Increasingly organisations are relying on managed detection services by security experts like Sure, where detecting and removing the attack is supported by detailed incident logs and reporting across the protection frontier. Constant scrutiny of all activity across network and systems, with best practice multi-factor authentication of all devices connecting to the network is essential. Forensic surveillance and automated, immediate action to nullify a breach is required. It’s important to appreciate that whilst an organisation may have measures in place to protect itself in 2020, that doesn’t mean it will be secure in 2021. Nothing stands still in the global arms race against an unseen cyber enemy.

Respond
Responding to an incident combines nullifying the attack with a continuing ability to operate in a safe and seamless manner. Secure business continuity with no loss of service, data or information, as the matter is dealt with, is essential. The global expansion of digital services has increased the attack surface area over recent years, and the forensic identification of the incident, it’s origins, causes and consequences remain a vital part of the on-going process. The immediate switching to a replicated and ‘ready to go’ system in a diverse and separate location provides near real-time failover protection, ensuring your data, people and services remain operationally unaffected.

Recover
The business may have continued to operate during and after the incident using business continuity solutions like Recovery-as-a-Service (RaaS), but returning to ‘business as usual’ and dealing with compliance reporting procedures is a key part of recovery. The ability to ‘rewind and reset’ systems to a point just before the incident might have taken place, but an investigation into what happened is essential. The process therefore goes full-circle and reverts back to the identify stage to find out what took place, and whether any additional security measures are needed to mitigate against such an event happening again in the future.

Summary
The vast majority of organisations are working hard to protect business intelligence, integrity, customer information, revenue and reputation.  It’s clear however, that all entities will experience on-going cyber-attacks in one form or another, as we move forward.

Therefore, the issue is not whether an incident will happen, it’s how the organisation deals with the breach when it does occur. Financial organisations, by their very nature, are leading targets for cybercrime, and the sector has invested heavily in protecting itself. The imminent financial regulations and controls will provide organisations with a clear and structured security process to follow, and it will doubtless be expanded to wider industry sectors.

The collaborative approach being taken by the authorities, businesses and technology partners illustrates a determination to face cybercrime head-on. Sure’s security solutions support all the elements of the new regulations, and our Professional Services and Account Management teams are ready to help organisations implement the new procedures.