top of page

Do Strong Passwords and MFA Make a Difference to the Security of the Financial Services Sector?

The financial sector is one of the most targeted by cyber criminals, and the effects of a successful attack or data breach can be devastating. In the year preceding June 30th, 2023, there were 640 cybersecurity breaches reported to the Information Commissioners Office (ICO) from UK financial services firms: an almost threefold increase on the year before. Whilst there may be assumptions that companies such as insurance brokers, bankers, financial advisors or mortgage lenders, whose work is underpinned by money, would have robust cybersecurity measures, the reality is that they are a lucrative target, and clearly vulnerable.

a pot of money

What makes finance and property a targeted sector?

Money is a motivating factor for criminals, regardless of the sector. However, those companies whose work concerns the management, handling or storing of money present themselves as a particularly attractive target. In the statistics sourced from the ICO, the pension sector reported the biggest rise in cyber security breaches, amounting to 246 in 2022/2023, which is a stark increase on the 6 that were reported in the previous year. A successful hack or breach can allow criminal actors unauthorized access to accounts or personal information. Depending on what is accessed, this could lead to criminals making financial transactions themselves, or using personal information to trick others into revealing further information or sending them money. An event like this could have unknown financial ramifications for the business, as well as causing massive reputational damage and a loss in consumer trust.

As previously mentioned, it is not just money that is managed by these companies but sensitive and personal information too. For companies such as insurance brokers, estate agents, mortgage lenders, or asset managers, having personal data allows them to understand the needs of their clients and deliver a customized service. This data is valuable to cybercriminals. If accessed, personal information can used to formulate sophisticated and targeted phishing attacks, it can be held and used as part of a ransomware attack, or it can be compromised and sold on the dark web. Additionally, the financial sector faces threats not only from financially motivated criminals, but politically motivated ‘hacktivists,’ insider threats, and nation states too.

So, what does good cyber hygiene look like?

Considering the state of the cyber threat landscape for the financial sector, it is important that companies of all sizes are considering their cybersecurity. Human behaviour remains a risk factor in data loss and cyber security breaches, however this is something which can be improved at no cost. Developing a positive cybersecurity culture within your organisation and making sure staff are aware of what good cyber hygiene looks like can significantly reduce the risk of accidental compromise.

One aspect of good cyber practice is using strong passwords and having multi-factor authentication switched on. Passwords should be long and complex, and unique to each individual account any one person has, inside or outside of work. The NCSC guidance is that using their three random words technique can help to create a strong password. This involves creating a random sentence and taking three unrelated words from it, combining them together and adding numbers or special characters if further complexity is required. The result of this is a long password that is difficult to guess. Another option is to use a password manager. This not only encourages people to use different passwords for each account, removing the need to remember them, but many password managers can also create a strong password for you.

Enabling multi-factor authentication (MFA) adds an additional layer of protection to your account. If a password is compromised, the account cannot be accessed without the additional security factor, such as a verification code or the answer to a security question. MFA makes unauthorized access a lot more difficult for criminals and according to Microsoft, having it switched on can prove effective against 98% of attacks.

Further to account security, there should be a clear policy on how employees should be working online. Awareness training can help educate people as to why using unsecured networks or unknown personal devices for work purposes can place them at risk of being compromised. To combat phishing, everybody should be made aware of the common features to look out for, as well as encouraged to question anything that looks abnormal. If people feel supported and understand what they will and won’t be expected to do over email or text, it reduces the risk of human behaviour becoming a way in for cyber criminals.

The financial sector remains highly targeted by criminals and cybersecurity should be a priority for every company working in this sector. However, some of the most impactive ways to improve cyber resilience come from human behaviour and making sure that these fundamentals are in place can massively reduce the risk of an organisation falling foul to cyber criminals.

banking transaction

Where does the ECRC fit into this?

Becoming a free member of the ECRC enrols you onto our ‘Little Steps’ Programme, a weekly email series giving you bite-sized steps to improve your cyber resilience. This supports you through making simple changes to reduce the risk of a cyber-attack. Being a member keeps you up to date on any current threats and ensures that the guidance you receive is up to date. Additionally, you can find free support tools and guidance that is sector specific on our website.

The ECRC also offers affordable support services to help you protect your networks as well as your workforce. This includes Security Awareness Training, First Step Web Assessments, and Remote Vulnerability Assessments, amongst others.

Additionally, for any organisations looking to become accredited in Cyber Essentials, not only does our ‘Little Steps’ programme help you become compliant with the criteria, but we also have a list of Cyber Essentials Partners that are able to accredit you with this certification.

If you would like to know more about what we can do for you at the ECRC, why not book a chat with us today?

the eastern cyber resilience centre

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page