Financial services firms are often not getting the basics right on cyber security, leaving them vulnerable to attacks.