Survey shows a deficit of cybersecurity funding and safeguards in financial services

GSISS Financial Services Snapshot

November 6, 2014

By Joe Nocera

Given the press coverage of a series of large scale security breaches over the past 12 months, it’s not exactly surprising to learn that security incidents in the financial services industry have reached an all-time high. What may raise eyebrows is that security spending appears to be mostly flat.

Among 758 financial services respondents to The Global State of Information Security® Survey 2015, the average number of information security incidents detected climbed 8% in 2014 to a record-breaking peak of 4,978 per organization. The financial toll of cybercrime is increasing at a considerably faster clip: Companies spent 24% more to manage and remediate detected incidents in 2014. Note the repeated emphasis on the word detected. It seems all but certain that, given the technical acuity and ample funding of today’s sophisticated threat actors, a great number of incidents go undetected—and therefore uncounted.

So as the frequency and costs of cybersecurity incidents continue to mount, it would seem that prudence would demand significant boosts in information security budgets. Yet that’s not what the survey tells us: In 2014, information security budgets for financial services organizations inched up a mere 3% over the year before. The consequences of underinvestment may be troubling and potentially far-reaching. Among financial services respondents, we have already seen a lack of progress—and in many cases, attrition—in the use of up-to-date processes and tools to detect and respond to today’s fast-evolving security threats.

In analyzing this year’s data, we identified five critical areas that organizations should address to strengthen information security practices: Executive support for security, regulatory preparedness, third-party due diligence, insider-incident programs, and enhanced governance and processes. These topics are briefly summarized below; for a more in-depth look, see the full report here.

Cybersecurity starts at the top

To be effective, cybersecurity “ownership” starts at the top of an organization. Cyber savvy firms integrate cybersecurity into their organization’s overall enterprise risk-management framework, and the CEO and Board “own” the responsibility for managing cyber resiliency. Senior executives at such firms establish a strong culture of security and cyber resilience by setting an affirmative “tone at the top.” Doing so demands that executives proactively communicate the importance of security across the enterprise. Beyond that, executive leaders engage the Board in the discussion and management of cybersecurity risks. Yet the facts are that only one-third (33%) of respondents said their Board is involved in the review of security and privacy risks.

Regulators may introduce cybersecurity exams

Recent actions by industry regulators in the US and Europe have signaled they may require proof that financial services firms have implemented a robust security program. Most notably, recent guidance from the US Securities and Exchange Commission (SEC) indicates that financial services firms should be prepared to undergo examinations to prove their cybersecurity preparedness. The SEC also included cyber insurance on its list of possible factors that may be used in examinations. Our survey shows that many respondents may not be capable of “passing” security examinations. We found that many firms lack fundamentals like executive support for security, a tested incident-response plan, continual assessment and monitoring, threat intelligence and analysis, and employee awareness programs.

The rising risks of third-party partners

Financial institutions are increasingly worried about their ability to combat threats that can arise from sharing networks and data with business partners, contractors, and suppliers. With good reason: This year, 41% of respondents say they detected security incidents perpetrated by current and former service providers, contractors, consultants, and suppliers. Yet many financial services companies could do more to protect themselves. Consider, for instance, that fewer than two-thirds (62%) of respondents have established security baselines and standards for external partners, suppliers, and vendors, and just 59% require business partners to comply with their privacy policies. Yet these are basic steps to help ensure third-party security.

Inside jobs go unchecked

The number of security incidents attributed to insiders—current and former employees, in particular—increased substantially this year, even as the readiness of financial firms to manage these risks diminished. Many businesses do not have an insider-threat program in place, which leaves them unprepared to prevent, detect, and respond to insider threats. Employees and managers are critical to an insider-threat management program because they are often in a position to notice suspicious behavior or risk indicators. Consequently, employee training forms the spine of an effective security program. However, our survey showed that organizations that have an employee training and awareness program dropped to 57%, from 66% the year before.

It takes more than technology

Many financial services firms view technology solutions as the best bet to protect their networks and data. Truth is, sophisticated cyber adversaries are in the vanguard of innovation, and often are able to circumvent cybersecurity technologies as soon as solutions vendors develop them. That’s why it makes sense for financial services organizations to ensure that technology solutions are deployed on top of a foundation of sound governance, operational processes, and people skills. Consider, for instance, detection and analysis of cyber threats. Tools to identify and analyze threats are critical, but timely mitigation of incidents will also demand up-to-date response processes and properly trained personnel.

In an era in which cyber compromise is virtually certain, a coordinated approach to incident response is critical to the bottom line, as well as reputation and compliance.

 

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

Previous post:

Next post: