financial services: strong in cybersecurity, but still ... · 1 “cost of cyber crime study,”...
TRANSCRIPT
Financial Services: Strong In Cybersecurity, But Still Struggling With Risks
In association with
Financial services organizations
have been battling cybersecurity
threats for a long time, and
while they’ve taken the lead
with comprehensive measures—
including implementing new
technology —the embrace of digital
transformation is only expanding
the attack surface—and risk.
“Financial institutions have always
been targets of theft,” says Mike
Stiglianese, managing director
for national technology and
cybersecurity for the financial
services industry at BDO USA. “But
with their dependency on digital
platforms, and because of the large
amounts of sensitive customer
information they store, the target on
their backs has grown.”
Cyberattacks have been on the
rise, with the biggest threats being
“using established cyber techniques
to commit fraudulent acts,” says
Anil Markose, senior vice president
for Booz Allen Hamilton. Markose
cites a number of factors that
have increased the threats against
financial services organizations,
such as an “increase in the
attack surface due to accelerated
digitalization for most companies.
This is being done with speed versus
security quality, so the available
attack surface for an attacker
continues to grow. Most financial
institutions have invested heavily in
technologies but may not have built
programs and processes around the
technologies to maximize
their investments.”
To better understand how
organizations are approaching
cybersecurity, Forbes Insights
surveyed 1,001 security practitioners
and security executives, in
For the financial services sector, real money is at stake when it comes to cybersecurity.
partnership with VMware. Data from
this survey, which covers a range
of industries, is presented in our
report “Cybersecurity Trailblazers
Make Security Intrinsic To Their
Business,” which also outlines how
organizations can improve their
enterprises’ security posture.
This brief details the findings among
the 202 respondents within financial
services. Where appropriate,
financial services results are
contrasted with the overall sample.
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
3
1 “Cost of Cyber Crime Study,” Accenture, June 26, 2018.
The average annualized cost of cybercrime to financial services organizations is estimated at $18.3 million.1
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
4
The Situation
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS COPYRIGHT © 2019 FORBES INSIGHTS
5
Digital transformation is not new to
the financial services sector, and at
this stage, a majority of those surveyed
report transformational change to
their infrastructures and processes.
More than two-thirds of financial
services respondents say infrastructure,
security controls and applications
have significantly changed as they’ve
redesigned and rebuilt their systems to
support digital processes and interfaces.
The security controls that need to
accompany digital technologies, in fact,
rank at the top of the list when it comes
to areas going digital. This shows that
security remains top of mind during this
evolution (Figure 1).
Along with keeping security at the
forefront of digital transformation
efforts, financial services respondents
are more likely than their counterparts
in other industries to say major
stakeholders are aligned to their
security strategies. Within most
financial services organizations, line-of-
business directors and managers have
taken the lead with formulating and
executing security strategies, which
means the business side is widely
engaged in cybersecurity awareness
and mitigation (Figure 2).
“The criminal element has become
more sophisticated, but so has our
ability to detect and deter,” says Tim
Callahan, senior vice president and
global chief security officer for Aflac.
“They can construct a malware or
phishing attack, launch the attack
and do other things while waiting for
a response.
Financial Services Enterprise Areas Seeing Transformational Change
FIGURE 1
T H E S I T U A T I O N
SECURITY CONTROLS (technology, operations)
INFRASTRUCTURE (cloud, network
compute, storage)
APPLICATIONS (architectures, development
processes, platforms)
72% 68% 60%
FIGURE 2
Stakeholder Alignment In Security Strategies
FINANCIAL SERVICES OVERALL
83%LINES OF BUSINESS, SVP, GM 74%
81%FUNCTIONAL DIRECTORS 75%
80%CHIEF SECURITY OFFICER 75%
79%C-SUITE 72%
78%BOARD OF DIRECTORS 70%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
6
But the fact that we understand this
enables us to work against them. We
know what we didn’t know before.
Software and technology suppliers are
also more aware and are elevating their
game with more rigor as well.”
When it comes to the challenges of
managing cybersecurity, financial
services organizations face the same
headwinds as their counterparts in
other industries—and then some. The
need for more funding tops the list,
cited by more than half of respondents.
A similar percentage of them say
their cybersecurity efforts need a
more coherent enterprise strategy—a
problem experienced more acutely in
financial services organizations than in
other sectors. Likewise, financial firms
are being hit harder by skills shortages
in this vital area (Figure 3).
FIGURE 3
Financial Services Cybersecurity Organizational Pain Points
T H E S I T U A T I O N
(Represents/highly represents)
FINANCIAL SERVICES OVERALL
58%NEED MORE BUDGET 54%
56%NEED MORE COHERENT ENTERPRISE APPROACH AND STRATEGY
48%
54%LACK OF SKILLED STAFF 48%
53%LACK OF END-USER TRAINING OR AWARENESS 47%
50%LACK OF VISIBILITY (e.g. we don’t know what we don’t know)
46%
50%NEED FOR STRONGER POLICIES AND GUIDELINES 46%
46%LACK OF TOP EXECUTIVE SUPPORT 41%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
7
From a technical standpoint, financial
services executives/practitioners worry
the most about the proliferation of
computing power as it widens their
attack surfaces. The vulnerability of
IoT is a top technology pain point,
followed by the difficulty of managing
devices accessed from anywhere. The
proliferation of various security point
products is also a leading concern.
Tellingly, these challenges are more
pronounced for financial services
organizations than across other industry
groups (Figure 4).
Company size—and thus access to
resources—shapes a firm’s ability to
address security in a comprehensive
way. Often, due to funding constraints,
cybersecurity efforts are commingled
with compliance programs in financial
services. “The largest financial
institutions are spending the right
amounts on security and have world-
class programs,” says Markose. “As
you move to the smaller, less-funded
companies, there are trade-offs. These
financial institutions may not have
the budget they need to cover all their
capabilities; therefore, the focus tends
to be more on compliance rather than
real security. One could argue that even
with a limited budget, you should focus
on your real security threats versus
compliance, but this is a challenge in
the market.”
FIGURE 4
T H E S I T U A T I O N
Financial Services Cybersecurity Technology Pain Points(Represents/highly represents)
FINANCIAL SERVICES OVERALL
56%VULNERABILITY OF IOT DEVICES 43%
54%DIFFICULTIES MANAGING DEVICES AND APPS ACCESSED FROM ANYWHERE
48%
52%TOO MANY POINT PRODUCTS TO TRACKAND MANAGE
45%
49%INABILITY OR DELAYS IN DETECTING, DISCOVERING OR IDENTIFYING THREATS
45%
49%LACK OF SECURITY POLICIES ALIGNED TO MY APPLICATIONS AND DATA
43%
48%COMPLEX POLICY CONTROLS DUE TO TOO MANY PRODUCTS/PROCEDURES
45%
48%OUTDATED PRODUCTS/SOLUTIONS 43%
46%PRODUCTS/SOLUTIONS WITH LIMITEDCAPABILITIES
44%
42%INADEQUATE PROTECTION FOR APPLICATIONS/DATA INSIDE MY PERIMETER 41%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
8
While financial services respondents
are more cognizant of cybersecurity
issues, they are not immune to the
same types of attacks experienced
across other industries. Close to
one-third say they have had issues
with password phishing, while one in
four have had problems with identity
and access issues. A similar number
suffered ransomware attacks (Figure 5).
T H E S I T U A T I O N
FIGURE 5
Top Incidents Experienced Over The Past Three Years
FINANCIAL SERVICES OVERALL
PASSWORD PHISHING IDENTITY ANDACCESS ISSUES
32% 25%34% 27%
RANSOMWARE SOCIAL MEDIACYBERATTACKS
24% 23%20% 23%
DATA THEFT —ONLINE INSIDER ATTACKS
21% 20%21% 19%
SOCIALLY ENGINEERED MALWARE
19% 22%
Nearly a third of financial services organizations say they have suffered a cyberattack over the past three years.
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
9
Because financial services
organizations have dealt with these
issues for decades, experience and
maturity may be part of their security
culture. Executives/practitioners in
this sector express higher degrees of
confidence than respondents overall
in their ability to address security
challenges, particularly related to
infrastructure and security products
(Figure 6).
T H E S I T U A T I O N
FIGURE 6
Confidence In Addressing Emerging Security Challenges
FINANCIAL SERVICES OVERALL
INFRASTRUCTURE SECURITY PRODUCTS/TOOLS
74% 73%67% 67%
SECURITY PROCESS DEVICES (MOBILE AND DESKTOP)
73% 70%65% 64%
CLOUD IOT
69% 66%66% 57%
PEOPLE/TALENT
66% 60%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
10
The Technology
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS COPYRIGHT © 2019 FORBES INSIGHTS
11
For financial services organizations,
technology is a fast-moving target
intended for a fast-moving business.
There is constant pressure to adopt the
latest solutions that ensure real-time
movement of massive data sets as well
as prevent unauthorized access and
fraud. This creates an environment
where software must be quickly
designed, built, tested and deployed.
Industry experts caution that such
a fast-paced environment requires
even greater security vigilance. “As
companies become more digital,
they need to design code with a
security mindset,” says Markose. “Many
organizations are developing in an agile
process that inherently favors speed
to production over quality. This will
continue to increase the attack surface,
so you have to strengthen security
controls in the development phase to
really thwart this issue.”
At this time, however, only 27%
of financial services executives/
practitioners fully involve their security
organizations in decisions across their
tech stack from the start. While this
is higher than respondents overall,
it’s notable that more than two-thirds
of financial services organizations do
not inherently build security into their
technology-driven processes.
Two-thirds of financial services organizations do not inherently build security into their technology-driven processes.
T H E T E C H N O L O G Y
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
12
Cloud has become an important part
of the equation when it comes to
digital transformation, particularly for
financial services organizations. At
least 42% of respondents in this sector
say cloud providers now handle many
security measures, compared with
34% overall. In total, 84% of financial
services organizations rely on cloud to
some extent for their security needs.
In addition, they are more inclined
than their counterparts across other
industries to use cloud for load
balancing and secure web gateway
services (Figures 7 and 8).
While cloud providers now
provide a significant portion of
financial organizations’ security
requirements, industry participants
still recommend caution with any
third-party engagement. “The greatest
vulnerability for financial services
organizations is often their third-
party vendors, which many rely on
for cost-effective service delivery,”
says Stiglianese. “It’s critical to keep
cybersecurity in mind when it comes to
third-party due diligence.”
T H E T E C H N O L O G Y
FIGURE 7
FIGURE 8
How Cloud Adoption Has Changed Security Strategies
Security Services Provided By Cloud Providers
FINANCIAL SERVICES
FINANCIAL SERVICES
OVERALL
OVERALL
42%
42%
13%
3%
MANY SECURITY MEASURES NOW HANDLED BY CLOUD PROVIDER(S)
SOME SECURITY MEASURES NOW HANDLED BY CLOUD PROVIDER(S)
NO CHANGES
DON’T KNOW/NOT APPLICABLE
34%
43%
17%
6%
79%
76%
75%
69%
66%
LOAD BALANCING
SECURE WEB GATEWAY
ENDPOINT DETECTIONAND RESPONSE
IDENTITY
FIREWALL
74%
72%
70%
71%
70%
(Partially or in full)
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
13
Recent regulations issued by the
New York Department of Financial
Services are one example of growing
concern and oversight over risks
when infrastructures are managed
by third-party services, he adds.
“These infrastructures typically
include payment and settlement
systems, trading platforms, securities
depositories and connections to
multiple counterparties. This creates a
significant attack surface for hackers to
attempt to exploit.”
Financial services executives/
practitioners do appear to be paying
close attention to the security that
comes with cloud—cloud and
infrastructure security are investment
focuses for financial services. This sector
is also ahead in its adoption of artificial
intelligence (AI) and machine learning
(ML) to enhance and add greater
intelligence to security remediation
efforts. More than one-third, 35%, are
now employing AI and ML, versus 26%
overall (Figure 9).
T H E T E C H N O L O G Y
FIGURE 9
Top Areas For Security Investment Over The Next Three Years
FINANCIAL SERVICES OVERALL
47%CLOUD SECURITY 48%
41%INFRASTRUCTURE SECURITY 38%
39%DEVICE SECURITY 38%
39%THREAT SECURITY 41%
35%USING AI AND ML IN SECURITY POLICY 26%
35%IOT SECURITY 36%
34%
26%
SECURITY MANAGEMENT AND POLICY
APPLICATION BEHAVIOR AND WHITELISTING
35%
22%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
14
The People & Processes
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS COPYRIGHT © 2019 FORBES INSIGHTS
15
Financial services IT infrastructures
are complex, with many layers and
connection points. Therefore, it’s
probably no surprise that financial
services organizations experience
slightly slower response times to security
incidents than their counterparts across
other industries. Forty-six percent of
financial services respondents indicate
they can identify and resolve security
issues within a day, compared with 51%
overall (Figure 10).
At the same time, financial services
executives/practitioners report greater
satisfaction with the rate of problem
resolution than their counterparts. More
than two-thirds, 68%, indicate they are
mostly or highly satisfied with their
organizations’ ability to address security
issues in a timely manner, versus 63%
overall (Figure 11).
FIGURE 10
FIGURE 11
Length Of Time To Resolve A Security Issue
Satisfaction With Length Of Time To Resolve A Security Issue
T H E P E O P L E A N D P R O C E S S E S
FINANCIAL SERVICES OVERALL
FINANCIAL SERVICES OVERALL
LESS THAN ONE HOUR
MULTIPLE HOURS TO ONE DAY
MULTIPLE DAYS TO ONE WEEK
MORE THAN ONE WEEK
9%
37%
35%
19%
10%
41%
30%
18%
NOT SATISFIED AT ALL
SOMEWHAT SATISFIED
MOSTLY SATISFIED
HIGHLY SATISFIED
5%
26%
38%
30%
7%
29%
39%
24%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
16
For the most part, respondents in
financial services are turning to
hardware and software solutions to stay
on top of cybersecurity threats. Close to
half look to new tools and solutions, in
line with the overall average. However,
financial services leaders see greater
value in adopting acceptable use
policies to help manage end-user and
customer use of devices and services,
41% to 35%. Policies and procedures
are also a preferred approach—more
than one-third of financial services
respondents took this action to improve
responsiveness. Financial organizations
lag in both security team training as well
as end-user education (Figure 12).
T H E P E O P L E A N D P R O C E S S E S
FIGURE 12
Actions Taken To Improve Responsiveness To Security Issues
FINANCIAL SERVICES OVERALL
ACQUIRED NEW SECURITY TOOLS/SOLUTIONS
MODIFIED/UPDATED ACCEPTABLE USE POLICIES
IMPLEMENTED NEW OR ADDITIONAL POLICIES AND PROCEDURES
BROUGHT IN OUTSIDE EXPERTISE
SPONSORED TRAINING AND EDUCATION FOR SECURITY TEAM MEMBERS
REDESIGNED RESPONSE PROCESSES
SPONSORED TRAINING AND EDUCATION FOR END-USERS
DON’T KNOW/UNSURE
NONE TAKEN
48%45%
41%35%
36%38%
33%31%
29%34%
26%27%
26%
4%
4%
32%
3%
3%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
17
As mentioned throughout this
report, the financial services sector
demonstrates greater maturity with
cybersecurity, a result of managing such
issues and having a greater sensitivity
to security requirements since money
is directly involved. There is also more
collaboration in this industry among
enterprise teams when it comes to
security. For example, 77% report
high levels of involvement from their
network teams, compared with 72%
overall. There is also greater involvement
from architecture teams. Significantly,
C-level executives in financial services
organizations tend to be more highly
engaged than their counterparts across
other industries (Figure 13).
T H E P E O P L E A N D P R O C E S S E S
FIGURE 13
Who’s CollaboratingOn Cybersecurity
FINANCIAL SERVICES OVERALL
NETWORK TEAMS 77%72%
SECURITY TEAMS 74%72%
ARCHITECTURE 72%63%
OPERATIONS TEAMS 73%67%
APPLICATION DEVELOPMENT
72%63%
INFRASTRUCTURE TEAMS 71%67%
C-SUITE EXECUTIVES
MOBILE APP DEVELOPMENT
68%60%
61%58%
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
18
Financial services security executives
and practitioners need to prepare for the
transformative changes that are sweeping
organizations.
Here are the trends that will shape the industry
over the coming years.
The Future
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS COPYRIGHT © 2019 FORBES INSIGHTS
19
A security-first approach is essential, requiring more intrinsic approaches. “As
companies continue to modernize
their IT and customer-facing digital
presence, it will inherently increase
their cyberattack surface,” says
Markose. “Organizations should
take a security-first mindset in
the design phase and incorporate
a continuous monitoring and
hardening approach to maintaining
an acceptable level of exposure.
In addition, continuing to test
and prepare the organization for
a security incident will reduce the
impact of the unexpected cyber
event that everyone will face sooner
or later.”
While end-user training will help,
attacks are bound to get through,
which is why, from a technology
perspective, organizations need
to lower the attack surface with
security built into the infrastructure
so that when it bypasses users,
potential damage can be limited.
Financial services organizations need to ensure that their workforces are prepared to address cybersecurity events. With
the wide attack surface and
complexities of digital interactions,
end-users serve as the first line of
defense. “People are at the heart
of many of the security incidents
through social engineering
or accidental disclosures or
data leaks,” says Markose. “The
most exploitable part of an
environment is the trust provided
to a credentialed user (employee
or customer). Because of this,
employee awareness and training
are critical. Companies need
to spend more in recognizing
anomalous user activity to detect
compromised accounts and
insiders. Beyond employees,
infrastructure upgrades and
network security are also critical to
reduce risk.”
Develop a cybersecurity risk profile. “Financial services as
an industry is no stranger to the
cyberthreat,” says Stiglianese.
“It’s widely known that cyber
incidents can cause significant
financial and reputational harm
to financial services institutions
and insurance companies that
house troves of sensitive consumer,
transactional and other classified
data. Now the stakes are rising
even further. Governing authorities
are increasingly holding financial
institutions accountable for cyber
negligence, even after a breach
has been patched. Employing
a threat-based cybersecurity
framework should be their guiding
light. Understanding their inherent
risk profile and implementing the
appropriate level of controls to
manage an acceptable residual
risk level should be every
institution’s objective.”
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
20
There is a need for faster response times to security incidents. Financial services
organizations lag behind other industries in
terms of their ability to rapidly resolve security
incidents as they arise. There’s a need for more
training, more streamlined processes, and
online tools to help identify problems and
resolve them before they become major issues
for organizations, delaying services and funds to
customers as they’re needed.
Increasing consideration of cloud or third-party options to deliver security capabilities. Until recently, security was seen
as a drawback of moving to the cloud. Now,
cloud providers can deliver far more security
than on-premises sites. Just as financial
services companies have turned to the cloud
to support new services and capabilities,
they need to partner with cloud providers on
security matters. Ultimate responsibility for
security should not be outsourced. Rather
than rely on providers’ security promises,
financial services managers need to work
closely and collaboratively with cloud providers
to understand what level of security they are
providing to identify any potential gaps.
Financial services business and security team leaders need to foster open and frequent communication on security concerns. Cybersecurity is an ongoing
challenge that affects every part of the
enterprise. This requires that processes and
work habits be constantly examined and
adjusted to meet security needs. End-users
can often be the first to spot issues and alert
security teams. In addition, the enhanced
attention to processes that occurs within a
robust and holistic cybersecurity strategy can
help streamline and improve the way business
is conducted.
“The best advice is to be 100% transparent with
leadership and the board on your particular
governance process and to construct a program
where risk decisions are made at the right place
in the company and commensurate with the
level of risk,” says Callahan. “The acceptable
risk tolerance is not a security decision but a
governance or top-of-the-house decision. The
security executive then architects a program
based on the tolerance and has risk acceptance
graduated to the right level. For instance, if the
company risk tolerance is medium, you can
construct a program where low-risk exceptions
or technology approval is at a lower level of
management. Whereas high risks must go to
some corporate level body to approve or accept
risk.”
For more information on how to turn security into a competitive advantage, read:
Cybersecurity Trailblazers Make Security Intrinsic To Their Business
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
21
M E T H O D O L O G Y
A C K N O W L E D G M E N T S
Forbes Insights surveyed 1,001 executives and practitioners
from across the globe representing manufacturing, retail,
financial services, healthcare, government and education.
Within this group, 202 respondents were with financial services
organizations. From the overall sample, more than four in 10
respondents were from the C-suite (including chief information
security officers, chief information officers and chief technology
officers), and nearly a quarter were in security management
roles. Responses were weighted to reflect market size.
Forbes Insights and VMware would
like to thank the following individuals
for their time and expertise:
Tim CallahanSenior Vice President and
Global Chief Security Officer, Aflac
Anil MarkoseSenior Vice President,
Booz Allen Hamilton
Mike StiglianeseManaging Director for National
Technology and Cybersecurity for the
Financial Services Industry, BDO USA
FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS
22
499 WASHINGTON BLVD. | JERSEY CITY, NJ 07310 | 212.367.2662 | FORBES.COM/FORBES-INSIGHTS
Forbes Insights is the strategic research and thought leadership
practice of Forbes Media, a global media, branding and technology company whose combined platforms reach nearly 94 million
business decision makers worldwide on a monthly basis.
By leveraging proprietary databases of senior-level executives in the Forbes community, Forbes Insights conducts research on a wide range of topics to position brands as thought leaders and drive
stakeholder engagement. Research findings are delivered through a variety of digital, print and live executions, and amplified across
Forbes’ social and media platforms.
Report Author: Joe McKendrick