Sarah delivered a webinar to Practice Managers and Operations Directors who are members of the Master Practitioners Club. The webinar was a discussion about cyber security for the financial services industry and the key threats to businesses. 

About Sarah

Sarah is our Senior Security Consultant and has 25 years in the I.T industry. The last 15 years of her career have been spent specialising in the information and cyber security space. Sarah has also worked across a number of business verticals, in both the public and private sector. She currently focuses on information governance, risk and compliance and provides our clients with her security solutions expertise. 

Key Threat to Organisations

The EY 2019 CEO Imperative Study has identified data breaches as the key threat to organisations within the next ten years. 

Over 90% of data breaches begin with an email phishing attack. The main targeted assets are:

  • People
  • Data
  • IP
  • Privacy
  • Shareholders
  • Brand 

What Do The Numbers Say?

The number of small firms reporting at least one cyber incident is up from 33% to 47%, with 61% of businesses reporting an attack in the last year. As a result of this, the average figure for losses associated with cyber incidents has risen from $229k to $369k. The average cost of a single incident has risen from $34k to just under $200k. It is clear that cyber attacks can have a detrimental effect on small businesses.


Industry Issues

Sarah then discussed the following issues which are affecting cybersecurity within businesses:

  • Smaller firms have less cyber capability – Small businesses often have less knowledge about cybersecurity and the threats which they could be vulnerable to;
  • There is no silver bullet – Unfortunately, there is not a “quick fix” to protect your business from cyber threats – it’s an ongoing battle;
  • Impossible to completely remove the risk – Try as you might, there’s no way to remove a threat completely;
  • Companies fail to cover the basics – With a lack of time and knowledge, small businesses are failing to effectively protect themselves.

Implementing Governance

There are easy practices that your business can put in place to improve their cyber security. Some of these are quick and easy to implement, with others such as accreditation or certification taking longer periods of time. 

  • Use a top-down approach
    • Put cyber risk on the executive agenda and educate the executives;
    • Ensure management reporting is in a useful format.
  • Keep it simple
    • Recruit champions;
    • Use everyday language.
  • Look at the bigger picture
    • Understand who your threats are;
    • Ensure a link between risk and controls.
  • Use existing standards such as Cyber Essentials. To find out more on this, read our blog post.

Nexor’s Secure Framework – How to Prevent Cyber Attacks

Our Cyber Security consultants will ensure that your business is aligned with the NIST CyberSecurity Framework, by completing an initial assessment, implementing changes and reviewing the impact. 

Below is a breakdown of the 5 elements and what your business will need to review:


  • Identify what you need to protect – priorities;
  • Who your suppliers are;
  • Your whole business understanding.


  • Protect your main assets;
  • Invest in training;
  • Manage your supply chain;
  • Know your weaknesses.


  • Need to be able to detect attempted attacks on your business;
  • Tackle the insider threat;
  • Establish a monitoring regime.


  • Respond to new threats;
  • Threat intelligence – new threats are always emerging;
  • Incident response;
  • Test and retest.


  • Develop plans for resilience and to restore services;
  • What are the lessons that you learnt?

Q&A Session

After the webinar, Sarah held a Q&A session, diving deeper into topics discussed during the presentation. Here are some of the questions which were asked:

Question 1 – What is Supply Chain Management and How can we implement this?

Answer – The first step is to identify who is in your supply chain and then look at the interactions with your business. Depending on your findings, you will be able to determine what risk they present, and what controls you should put in place.

If you want to learn more, we’ve written a blog post about Supply Chain Management.


Question 2 – Is cyber insurance worth having and if so, what should you look for in a cyber insurance policy?

Answer – It is important to check if there are any requirements that your business needs to have as part of your policy. For example, you may be required to hold the cyber essentials certification. Check the small print to see if there are any stipulations the company will put on you and do your homework. 

The most important thing is to carry out your risk assessment first, to determine if the insurance policy you are being quoted actually covers the risks you are looking at. We all conduct research into the features we want in our home or car insurance – we need to make sure we do the same if looking at cyber insurance. 


Author Bio – Sarah Knowles

Sarah Knowles is Nexor’s Senior Security Consultant. She is a NCSC certified Security and information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Cyber Essentials and IASME Governance Assessor. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.


Be the first to know about developments in secure information exchange