In leading our Banking practice in the UK and Ireland, I’ve become well acquainted with the risks that keep bank CEOs awake at night. One of the biggest of these is cybersecurity—which is why I’ve decided to make it the focus of this latest blog.
It isn’t hard to see why it’s such a major concern. Today’s banking industry has a combination of increasingly digitised services and a fast-evolving cyberthreat landscape. Add in banks’ rising data sharing with third parties, and growing use of APIs to interface with external developers, and the result is an increasing risk that security gaps will be exposed and exploited by attackers.
In a world where technology change is non-stop, security must be forefront of mind. The regulatory landscape remains challenging with the introduction of GDPR to tighten requirements for data protection, while PSD2 has imposed stricter security measures. What’s more, the consequences of failing to comply can be severe.
In a world where technology change is non-stop, security must be forefront of mind.
In my view, all of this means a strong cyber ecosystem is crucial, and banks must take a threat-centric approach—one that ensures they target money and resources at what’s truly important.
Acknowledging the threat
The first step is to recognise the dangers. Financial firms have built good cybersecurity ecosystems, but one in five breach attempts are still slipping through. And while cybercriminals are constantly raising their game, using new technology to break through security perimeters, banks need to keep up to maintain a strong security posture.
Accenture research shows only 18 percent of financial firms significantly increased their cybersecurity spend over the past three years, and only 30 percent expect to spend significantly on defence over the next three. In an environment where attacks can expose customer data or even shut down the business, this feels a complacent approach.
Key areas to focus
The warning signs are there for all to see with the revenue and reputational impacts of cyber-breach cases making the news on more than one occasion. To build a robust cybersecurity foundation, I think leaders should focus on three areas:
- Education: Leadership must understand the landscape and have regular briefings from cyber-experts.
- Board technology expertise: Individuals with cybersecurity skills should be invited onto the board to increase technology diversity. Consider incorporating the role of chief information security officer (CISO).
- Seek advice from a trusted third party on threats and responses: It is always prudent to seek independent external party assistance to provide an additional dimension of insight and expertise.
Third parties can be especially valuable in testing cyber resilience, for example through adversary simulation—measuring both attack resiliency and also the security team’s ability to detect and respond. The journey to cloud can also raise risks and so creating an enterprise cloud security risk framework is key.
Cybersecurity threats are growing. Attack them.
Building on these solid foundations, banks need to prepare, protect, detect, respond and recover along all points of the security lifecycle. Let’s remind ourselves some of the key actions that banks should consider, which remain ever so relevant in today’s dynamic environment:
- Uplift investment: To deploy breakthrough technology to outsmart attackers and protect the core is vital—think AI, robotics, biometrics.
- Expedite identification of breaches: Firms need to identify a breach in days, if not hours, to contain the damage. This requires a truly agile approach that continuously evaluates and prioritises response to threats.
- Involve groups beyond the cybersecurity team: Cybersecurity teams identify only 64 percent of breaches, with 72 percent identified by employees (2018 State of Cyber Resilience). External threat intelligence, managed security services and fintechs can all be valuable additions.
- Target the right success measures: These include cyber IT resiliency (how many times an enterprise system went down and for how long), cyber recovery/restoration time and the response time to cyber events.
- Keep an eye on internal threats: Malicious insiders are among the most frequent threats actors. This risk can be reduced through continuous learning and adopting security awareness into the company culture.
- Extend cybersecurity standards across your ecosystem: Ecosystem partners need to be held to the same cybersecurity standards as the business itself.
- Test and stress test: Software and stress testing can identify vulnerabilities more rigorously. Mainframe resilience should be a priority, along with DevSecOps to ensure code is secure.
- Don’t overemphasize perimeter controls: Criminals focus on finding a way through perimeter controls using social engineering.
Banks today recognise digital’s increasingly pivotal role in their business, but to create resilient new business models and ecosystems, they must build in cybersecurity from the ground up. If they’re not doing this already, now’s the time to start.
My thanks to Purnima Pratap and Ludek Merasicky for sharing their expertise on this topic.