financial services: strong in cybersecurity, but still ... · 1 “cost of cyber crime study,”...

Financial Services: Strong In Cybersecurity, But Still Struggling With Risks

In association with

Financial services organizations

have been battling cybersecurity

threats for a long time, and

while they’ve taken the lead

with comprehensive measures—

including implementing new

technology —the embrace of digital

transformation is only expanding

the attack surface—and risk.

“Financial institutions have always

been targets of theft,” says Mike

Stiglianese, managing director

for national technology and

cybersecurity for the financial

services industry at BDO USA. “But

with their dependency on digital

platforms, and because of the large

amounts of sensitive customer

information they store, the target on

their backs has grown.”

Cyberattacks have been on the

rise, with the biggest threats being

“using established cyber techniques

to commit fraudulent acts,” says

Anil Markose, senior vice president

for Booz Allen Hamilton. Markose

cites a number of factors that

have increased the threats against

financial services organizations,

such as an “increase in the

attack surface due to accelerated

digitalization for most companies.

This is being done with speed versus

security quality, so the available

attack surface for an attacker

continues to grow. Most financial

institutions have invested heavily in

technologies but may not have built

programs and processes around the

technologies to maximize

their investments.”

To better understand how

organizations are approaching

cybersecurity, Forbes Insights

surveyed 1,001 security practitioners

and security executives, in

For the financial services sector, real money is at stake when it comes to cybersecurity.

partnership with VMware. Data from

this survey, which covers a range

of industries, is presented in our

report “Cybersecurity Trailblazers

Make Security Intrinsic To Their

Business,” which also outlines how

organizations can improve their

enterprises’ security posture.

This brief details the findings among

the 202 respondents within financial

services. Where appropriate,

financial services results are

contrasted with the overall sample.

FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS © 2019 FORBES INSIGHTS

3

1 “Cost of Cyber Crime Study,” Accenture, June 26, 2018.

The average annualized cost of cybercrime to financial services organizations is estimated at $18.3 million.1


4

The Situation

FINANCIAL SERVICES: STRONG IN CYBERSECURITY, BUT STILL STRUGGLING WITH RISKS COPYRIGHT © 2019 FORBES INSIGHTS

5

Digital transformation is not new to

the financial services sector, and at

this stage, a majority of those surveyed

report transformational change to

their infrastructures and processes.

More than two-thirds of financial

services respondents say infrastructure,

security controls and applications

have significantly changed as they’ve

redesigned and rebuilt their systems to

support digital processes and interfaces.

The security controls that need to

accompany digital technologies, in fact,

rank at the top of the list when it comes

to areas going digital. This shows that

security remains top of mind during this

evolution (Figure 1).

Along with keeping security at the

forefront of digital transformation

efforts, financial services respondents

are more likely than their counterparts

in other industries to say major

stakeholders are aligned to their

security strategies. Within most

financial services organizations, line-of-

business directors and managers have

taken the lead with formulating and

executing security strategies, which

means the business side is widely

engaged in cybersecurity awareness

and mitigation (Figure 2).

“The criminal element has become

more sophisticated, but so has our

ability to detect and deter,” says Tim

Callahan, senior vice president and

global chief security officer for Aflac.

“They can construct a malware or

phishing attack, launch the attack

and do other things while waiting for

a response.

Financial Services Enterprise Areas Seeing Transformational Change

FIGURE 1

T H E S I T U A T I O N

SECURITY CONTROLS (technology, operations)

INFRASTRUCTURE (cloud, network

compute, storage)

APPLICATIONS (architectures, development

processes, platforms)

72% 68% 60%

FIGURE 2

Stakeholder Alignment In Security Strategies

FINANCIAL SERVICES OVERALL

83%LINES OF BUSINESS, SVP, GM 74%

81%FUNCTIONAL DIRECTORS 75%

80%CHIEF SECURITY OFFICER 75%

79%C-SUITE 72%

78%BOARD OF DIRECTORS 70%


6

But the fact that we understand this

enables us to work against them. We

know what we didn’t know before.

Software and technology suppliers are

also more aware and are elevating their

game with more rigor as well.”

When it comes to the challenges of

managing cybersecurity, financial

services organizations face the same

headwinds as their counterparts in

other industries—and then some. The

need for more funding tops the list,

cited by more than half of respondents.

A similar percentage of them say

their cybersecurity efforts need a

more coherent enterprise strategy—a

problem experienced more acutely in

financial services organizations than in

other sectors. Likewise, financial firms

are being hit harder by skills shortages

in this vital area (Figure 3).

FIGURE 3

Financial Services Cybersecurity Organizational Pain Points


(Represents/highly represents)


58%NEED MORE BUDGET 54%

56%NEED MORE COHERENT ENTERPRISE APPROACH AND STRATEGY

48%

54%LACK OF SKILLED STAFF 48%

53%LACK OF END-USER TRAINING OR AWARENESS 47%

50%LACK OF VISIBILITY (e.g. we don’t know what we don’t know)

46%

50%NEED FOR STRONGER POLICIES AND GUIDELINES 46%

46%LACK OF TOP EXECUTIVE SUPPORT 41%


7

From a technical standpoint, financial

services executives/practitioners worry

the most about the proliferation of

computing power as it widens their

attack surfaces. The vulnerability of

IoT is a top technology pain point,

followed by the difficulty of managing

devices accessed from anywhere. The

proliferation of various security point

products is also a leading concern.

Tellingly, these challenges are more

pronounced for financial services

organizations than across other industry

groups (Figure 4).

Company size—and thus access to

resources—shapes a firm’s ability to

address security in a comprehensive

way. Often, due to funding constraints,

cybersecurity efforts are commingled

with compliance programs in financial

services. “The largest financial

institutions are spending the right

amounts on security and have world-

class programs,” says Markose. “As

you move to the smaller, less-funded

companies, there are trade-offs. These

financial institutions may not have

the budget they need to cover all their

capabilities; therefore, the focus tends

to be more on compliance rather than

real security. One could argue that even

with a limited budget, you should focus

on your real security threats versus

compliance, but this is a challenge in

the market.”

FIGURE 4


Financial Services Cybersecurity Technology Pain Points(Represents/highly represents)


56%VULNERABILITY OF IOT DEVICES 43%

54%DIFFICULTIES MANAGING DEVICES AND APPS ACCESSED FROM ANYWHERE

48%

52%TOO MANY POINT PRODUCTS TO TRACKAND MANAGE

45%

49%INABILITY OR DELAYS IN DETECTING, DISCOVERING OR IDENTIFYING THREATS

45%

49%LACK OF SECURITY POLICIES ALIGNED TO MY APPLICATIONS AND DATA

43%

48%COMPLEX POLICY CONTROLS DUE TO TOO MANY PRODUCTS/PROCEDURES

45%

48%OUTDATED PRODUCTS/SOLUTIONS 43%

46%PRODUCTS/SOLUTIONS WITH LIMITEDCAPABILITIES

44%

42%INADEQUATE PROTECTION FOR APPLICATIONS/DATA INSIDE MY PERIMETER 41%


8

While financial services respondents

are more cognizant of cybersecurity

issues, they are not immune to the

same types of attacks experienced

across other industries. Close to

one-third say they have had issues

with password phishing, while one in

four have had problems with identity

and access issues. A similar number

suffered ransomware attacks (Figure 5).


FIGURE 5

Top Incidents Experienced Over The Past Three Years


PASSWORD PHISHING IDENTITY ANDACCESS ISSUES

32% 25%34% 27%

RANSOMWARE SOCIAL MEDIACYBERATTACKS

24% 23%20% 23%

DATA THEFT —ONLINE INSIDER ATTACKS

21% 20%21% 19%

SOCIALLY ENGINEERED MALWARE

19% 22%

Nearly a third of financial services organizations say they have suffered a cyberattack over the past three years.


9

Because financial services

organizations have dealt with these

issues for decades, experience and

maturity may be part of their security

culture. Executives/practitioners in

this sector express higher degrees of

confidence than respondents overall

in their ability to address security

challenges, particularly related to

infrastructure and security products

(Figure 6).


FIGURE 6

Confidence In Addressing Emerging Security Challenges


INFRASTRUCTURE SECURITY PRODUCTS/TOOLS

74% 73%67% 67%

SECURITY PROCESS DEVICES (MOBILE AND DESKTOP)

73% 70%65% 64%

CLOUD IOT

69% 66%66% 57%

PEOPLE/TALENT

66% 60%


10

The Technology


11

For financial services organizations,

technology is a fast-moving target

intended for a fast-moving business.

There is constant pressure to adopt the

latest solutions that ensure real-time

movement of massive data sets as well

as prevent unauthorized access and

fraud. This creates an environment

where software must be quickly

designed, built, tested and deployed.

Industry experts caution that such

a fast-paced environment requires

even greater security vigilance. “As

companies become more digital,

they need to design code with a

security mindset,” says Markose. “Many

organizations are developing in an agile

process that inherently favors speed

to production over quality. This will

continue to increase the attack surface,

so you have to strengthen security

controls in the development phase to

really thwart this issue.”

At this time, however, only 27%

of financial services executives/

practitioners fully involve their security

organizations in decisions across their

tech stack from the start. While this

is higher than respondents overall,

it’s notable that more than two-thirds

of financial services organizations do

not inherently build security into their

technology-driven processes.

Two-thirds of financial services organizations do not inherently build security into their technology-driven processes.

T H E T E C H N O L O G Y


12

Cloud has become an important part

of the equation when it comes to

digital transformation, particularly for

financial services organizations. At

least 42% of respondents in this sector

say cloud providers now handle many

security measures, compared with

34% overall. In total, 84% of financial

services organizations rely on cloud to

some extent for their security needs.

In addition, they are more inclined

than their counterparts across other

industries to use cloud for load

balancing and secure web gateway

services (Figures 7 and 8).

While cloud providers now

provide a significant portion of

financial organizations’ security

requirements, industry participants

still recommend caution with any

third-party engagement. “The greatest

vulnerability for financial services

organizations is often their third-

party vendors, which many rely on

for cost-effective service delivery,”

says Stiglianese. “It’s critical to keep

cybersecurity in mind when it comes to

third-party due diligence.”


FIGURE 7

FIGURE 8

How Cloud Adoption Has Changed Security Strategies

Security Services Provided By Cloud Providers

FINANCIAL SERVICES

FINANCIAL SERVICES

OVERALL

OVERALL

42%

42%

13%

3%

MANY SECURITY MEASURES NOW HANDLED BY CLOUD PROVIDER(S)

SOME SECURITY MEASURES NOW HANDLED BY CLOUD PROVIDER(S)

NO CHANGES

DON’T KNOW/NOT APPLICABLE

34%

43%

17%

6%

79%

76%

75%

69%

66%

LOAD BALANCING

SECURE WEB GATEWAY

ENDPOINT DETECTIONAND RESPONSE

IDENTITY

FIREWALL

74%

72%

70%

71%

70%

(Partially or in full)


13

Recent regulations issued by the

New York Department of Financial

Services are one example of growing

concern and oversight over risks

when infrastructures are managed

by third-party services, he adds.

“These infrastructures typically

include payment and settlement

systems, trading platforms, securities

depositories and connections to

multiple counterparties. This creates a

significant attack surface for hackers to

attempt to exploit.”

Financial services executives/

practitioners do appear to be paying

close attention to the security that

comes with cloud—cloud and

infrastructure security are investment

focuses for financial services. This sector

is also ahead in its adoption of artificial

intelligence (AI) and machine learning

(ML) to enhance and add greater

intelligence to security remediation

efforts. More than one-third, 35%, are

now employing AI and ML, versus 26%

overall (Figure 9).


FIGURE 9

Top Areas For Security Investment Over The Next Three Years


47%CLOUD SECURITY 48%

41%INFRASTRUCTURE SECURITY 38%

39%DEVICE SECURITY 38%

39%THREAT SECURITY 41%

35%USING AI AND ML IN SECURITY POLICY 26%

35%IOT SECURITY 36%

34%

26%

SECURITY MANAGEMENT AND POLICY

APPLICATION BEHAVIOR AND WHITELISTING

35%

22%


14

The People & Processes


15

Financial services IT infrastructures

are complex, with many layers and

connection points. Therefore, it’s

probably no surprise that financial

services organizations experience

slightly slower response times to security

incidents than their counterparts across

other industries. Forty-six percent of

financial services respondents indicate

they can identify and resolve security

issues within a day, compared with 51%

overall (Figure 10).

At the same time, financial services

executives/practitioners report greater

satisfaction with the rate of problem

resolution than their counterparts. More

than two-thirds, 68%, indicate they are

mostly or highly satisfied with their

organizations’ ability to address security

issues in a timely manner, versus 63%

overall (Figure 11).

FIGURE 10

FIGURE 11

Length Of Time To Resolve A Security Issue

Satisfaction With Length Of Time To Resolve A Security Issue

T H E P E O P L E A N D P R O C E S S E S



LESS THAN ONE HOUR

MULTIPLE HOURS TO ONE DAY

MULTIPLE DAYS TO ONE WEEK

MORE THAN ONE WEEK

9%

37%

35%

19%

10%

41%

30%

18%

NOT SATISFIED AT ALL

SOMEWHAT SATISFIED

MOSTLY SATISFIED

HIGHLY SATISFIED

5%

26%

38%

30%

7%

29%

39%

24%


16

For the most part, respondents in

financial services are turning to

hardware and software solutions to stay

on top of cybersecurity threats. Close to

half look to new tools and solutions, in

line with the overall average. However,

financial services leaders see greater

value in adopting acceptable use

policies to help manage end-user and

customer use of devices and services,

41% to 35%. Policies and procedures

are also a preferred approach—more

than one-third of financial services

respondents took this action to improve

responsiveness. Financial organizations

lag in both security team training as well

as end-user education (Figure 12).


FIGURE 12

Actions Taken To Improve Responsiveness To Security Issues


ACQUIRED NEW SECURITY TOOLS/SOLUTIONS

MODIFIED/UPDATED ACCEPTABLE USE POLICIES

IMPLEMENTED NEW OR ADDITIONAL POLICIES AND PROCEDURES

BROUGHT IN OUTSIDE EXPERTISE

SPONSORED TRAINING AND EDUCATION FOR SECURITY TEAM MEMBERS

REDESIGNED RESPONSE PROCESSES

SPONSORED TRAINING AND EDUCATION FOR END-USERS

DON’T KNOW/UNSURE

NONE TAKEN

48%45%

41%35%

36%38%

33%31%

29%34%

26%27%

26%

4%

4%

32%

3%

3%


17

As mentioned throughout this

report, the financial services sector

demonstrates greater maturity with

cybersecurity, a result of managing such

issues and having a greater sensitivity

to security requirements since money

is directly involved. There is also more

collaboration in this industry among

enterprise teams when it comes to

security. For example, 77% report

high levels of involvement from their

network teams, compared with 72%

overall. There is also greater involvement

from architecture teams. Significantly,

C-level executives in financial services

organizations tend to be more highly

engaged than their counterparts across

other industries (Figure 13).


FIGURE 13

Who’s CollaboratingOn Cybersecurity


NETWORK TEAMS 77%72%

SECURITY TEAMS 74%72%

ARCHITECTURE 72%63%

OPERATIONS TEAMS 73%67%

APPLICATION DEVELOPMENT

72%63%

INFRASTRUCTURE TEAMS 71%67%

C-SUITE EXECUTIVES

MOBILE APP DEVELOPMENT

68%60%

61%58%


18

Financial services security executives

and practitioners need to prepare for the

transformative changes that are sweeping

organizations.

Here are the trends that will shape the industry

over the coming years.

The Future


19

A security-first approach is essential, requiring more intrinsic approaches. “As

companies continue to modernize

their IT and customer-facing digital

presence, it will inherently increase

their cyberattack surface,” says

Markose. “Organizations should

take a security-first mindset in

the design phase and incorporate

a continuous monitoring and

hardening approach to maintaining

an acceptable level of exposure.

In addition, continuing to test

and prepare the organization for

a security incident will reduce the

impact of the unexpected cyber

event that everyone will face sooner

or later.”

While end-user training will help,

attacks are bound to get through,

which is why, from a technology

perspective, organizations need

to lower the attack surface with

security built into the infrastructure

so that when it bypasses users,

potential damage can be limited.

Financial services organizations need to ensure that their workforces are prepared to address cybersecurity events. With

the wide attack surface and

complexities of digital interactions,

end-users serve as the first line of

defense. “People are at the heart

of many of the security incidents

through social engineering

or accidental disclosures or

data leaks,” says Markose. “The

most exploitable part of an

environment is the trust provided

to a credentialed user (employee

or customer). Because of this,

employee awareness and training

are critical. Companies need

to spend more in recognizing

anomalous user activity to detect

compromised accounts and

insiders. Beyond employees,

infrastructure upgrades and

network security are also critical to

reduce risk.”

Develop a cybersecurity risk profile. “Financial services as

an industry is no stranger to the

cyberthreat,” says Stiglianese.

“It’s widely known that cyber

incidents can cause significant

financial and reputational harm

to financial services institutions

and insurance companies that

house troves of sensitive consumer,

transactional and other classified

data. Now the stakes are rising

even further. Governing authorities

are increasingly holding financial

institutions accountable for cyber

negligence, even after a breach

has been patched. Employing

a threat-based cybersecurity

framework should be their guiding

light. Understanding their inherent

risk profile and implementing the

appropriate level of controls to

manage an acceptable residual

risk level should be every

institution’s objective.”


20

There is a need for faster response times to security incidents. Financial services

organizations lag behind other industries in

terms of their ability to rapidly resolve security

incidents as they arise. There’s a need for more

training, more streamlined processes, and

online tools to help identify problems and

resolve them before they become major issues

for organizations, delaying services and funds to

customers as they’re needed.

Increasing consideration of cloud or third-party options to deliver security capabilities. Until recently, security was seen

as a drawback of moving to the cloud. Now,

cloud providers can deliver far more security

than on-premises sites. Just as financial

services companies have turned to the cloud

to support new services and capabilities,

they need to partner with cloud providers on

security matters. Ultimate responsibility for

security should not be outsourced. Rather

than rely on providers’ security promises,

financial services managers need to work

closely and collaboratively with cloud providers

to understand what level of security they are

providing to identify any potential gaps.

Financial services business and security team leaders need to foster open and frequent communication on security concerns. Cybersecurity is an ongoing

challenge that affects every part of the

enterprise. This requires that processes and

work habits be constantly examined and

adjusted to meet security needs. End-users

can often be the first to spot issues and alert

security teams. In addition, the enhanced

attention to processes that occurs within a

robust and holistic cybersecurity strategy can

help streamline and improve the way business

is conducted.

“The best advice is to be 100% transparent with

leadership and the board on your particular

governance process and to construct a program

where risk decisions are made at the right place

in the company and commensurate with the

level of risk,” says Callahan. “The acceptable

risk tolerance is not a security decision but a

governance or top-of-the-house decision. The

security executive then architects a program

based on the tolerance and has risk acceptance

graduated to the right level. For instance, if the

company risk tolerance is medium, you can

construct a program where low-risk exceptions

or technology approval is at a lower level of

management. Whereas high risks must go to

some corporate level body to approve or accept

risk.”

For more information on how to turn security into a competitive advantage, read:

Cybersecurity Trailblazers Make Security Intrinsic To Their Business


21

M E T H O D O L O G Y

A C K N O W L E D G M E N T S

Forbes Insights surveyed 1,001 executives and practitioners

from across the globe representing manufacturing, retail,

financial services, healthcare, government and education.

Within this group, 202 respondents were with financial services

organizations. From the overall sample, more than four in 10

respondents were from the C-suite (including chief information

security officers, chief information officers and chief technology

officers), and nearly a quarter were in security management

roles. Responses were weighted to reflect market size.

Forbes Insights and VMware would

like to thank the following individuals

for their time and expertise:

Tim CallahanSenior Vice President and

Global Chief Security Officer, Aflac

Anil MarkoseSenior Vice President,

Booz Allen Hamilton

Mike StiglianeseManaging Director for National

Technology and Cybersecurity for the

Financial Services Industry, BDO USA


22

499 WASHINGTON BLVD. | JERSEY CITY, NJ 07310 | 212.367.2662 | FORBES.COM/FORBES-INSIGHTS

Forbes Insights is the strategic research and thought leadership

practice of Forbes Media, a global media, branding and technology company whose combined platforms reach nearly 94 million

business decision makers worldwide on a monthly basis.

By leveraging proprietary databases of senior-level executives in the Forbes community, Forbes Insights conducts research on a wide range of topics to position brands as thought leaders and drive

stakeholder engagement. Research findings are delivered through a variety of digital, print and live executions, and amplified across

Forbes’ social and media platforms.

Report Author: Joe McKendrick

financial services: strong in cybersecurity, but still ... · 1 “cost of cyber crime study,”...

Documents