Why the Financial Services Industry Needs More Than Technology to Defend Against Cyberattacks
Increasingly, businesses of all sizes in every industry have grown more concerned about cybersecurity, but none more so than the financial services sector. According to the 2015 Travelers Business Risk Index, 80 percent of leaders in the banking and financial services sector cite cyber risks as their top concern, overshadowing compliance, legal, and economic concerns.1 (Figure Source: 2015 Travelers Business Risk Index)
The rise in alarm is understandable considering the significant financial, reputational, and legal ramifications a security breach can have on an individual firm.
Despite its worries, the financial community has been slow to put more sophisticated, comprehensive safeguards in place to strengthen their cybersecurity postures. Many have invested heavily in cyber intrusion technologies, but given the speed of technological change and the increasingly sophisticated nature of cyber threats the industry continues to find itself vulnerable to cyberattacks. In fact, the Ponemon Institute uncovered that financial services organizations take an average of 98 days to identify an attack.2
In 98 days an intruder can cause a considerable amount of damage, whether its stealing sensitive data, committing fraud, destroying an institution’s economic stability, or undermining its reputation.
In our ebook, Guide to Cybersecurity for Financial Services Firms: Embracing a Unified Enterprise Defense, we detail the various threat actors and types of threats faced by the financial services sector, look at why organizations are vulnerable to such attacks, and present protective measures and best practices that financial services firms—and organizations from all industries—can implement to shield themselves from cyberattacks.
Even with the most sophisticated cyber intrusion software in place, financial services organizations still find themselves losing the war against cybercriminals. Here are four reasons why:
- Focused Solely on Preventing Financial Crime: Safeguarding systems against financial theft will continue to be a necessity, but financial services organizations must address that they are dealing with other forms of cybercrime, which require different approaches and security measures. For example, most cyber intrusion software address outside-in attacks not attacks from inside the firewall, which make them ineffective against identifying criminal activity by employees.
- Misguided by Compliance Requirements: Present-day cybersecurity risk management practices within the financial services industry are primarily driven by compliance requirements and managed as an IT function. However, being compliant and being secure are very different. Financial service organizations need to embrace cybersecurity as a strategic business function and employ cutting-edge technology, vigilant people, and innovative methods to achieve an efficient, effective response to active threats and potential incidents.
- Lack a Broader Definition of Business Resilience: In today's digital world, the term “resilience” needs to encompass more than disaster recovery efforts. It should apply to an organization’s ability to recognize cyber threats before they happen, reduce the organization’s exposure to harm, and most importantly react quickly. Forward thinking organizations need to fund cybersecurity initiatives that actually build an enterprise’s cybersecurity strength.
- Put Themselves at Risk with Siloed Systems: Mergers and acquisitions throughout the industry have created patched-together networks of incompatible code, tools, technology, and processes for many organizations. While they may “get the job done” from an operational standpoint, these silos provide limited visibility across the IT enterprise putting organizations at considerable risk of being breached. Beyond eliminating siloed systems, organizations need to develop comprehensive security models that address legacy systems, as well as new resources, such as cloud services, mobile devices, and applications.
Security is no longer a one-size-fits-all solution, particularly for the financial services industry. Organizations must evolve their security operations beyond relying strictly on technology in order to combat emerging cyber adversaries. Today, the best defense is a unified enterprise defense strategy executed by leveraging intelligence to become proactive and predictive.