Cybersecurity priorities for financial services

The financial services sector is a major target for cybercriminals due to its increasing connectedness and the lucrative rewards it offers. So what areas should organisations focus on to protect themselves?

By Aled Herbert

Mon 15 Oct 2018 @ 15:58

“There are two kinds of financial services firms: those that have faced a cyberattack and those that will.” That was one of the bleak considerations of PwC’s Top Financial Services Issues of 2018. As a result, financial services firms must build defences that are comprehensive and resilient and make this a priority.

Today, financial services organisations power the global economy and technology connects it all – from brokers to fund managers, insurers, lenders and more. Consequently, finance companies are a prime target for cyberattack because of the large amounts of funds, data and personally identifiable information they handle and process on a daily basis.

In addition, the intent behind attacks on firms has changed. Once, attacks were based on ideological hacktivism and malicious vandalism. Now, criminal activity is the main motive behind attacks.

This means financial services firms need to invest heavily in cybersecurity to protect data, money, customers and reputation. But as threats increase and become more sophisticated, where should financial services firm focus their time and investment?

Education, education, education

Employee training is imperative for improving security. According to a survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC), 35 per cent of CISOs working in the finance sector said cybersecurity awareness needs to be a top priority.

But security awareness goes beyond asking staff to complete e-learning training modules. Financial services firms need to change the security culture of their organisations. This is hard, but it is crucial to help prevent avoidable breaches caused by lapses in concentration or simple carelessness.

Deloitte Insights has good advice for improving cybersecurity awareness. In its survey into the state of cybersecurity at finance organisations it found the companies with mature security posture were the ones where accountability started at the top. Deloitte’s report found the board and management committee members at the most switched-on companies were not only aware of the overall security strategy but were also more likely to delve into the details of the budget, operational responsibilities and ongoing progress.

Deloitte also found that ‘shared differences’ made a big difference. Traditionally, the security function is centralised around the IT team. But security-savvy organisations now prefer a hybrid approach, where – in addition to the central function – business units have designated responsibility for security and for collaborating with other units.

Real-time detection - not just real-time prevention

Security budgets are steadily shifting from prevention to response. Mindful of PwC’s claim that there are two kinds of financial services firms – “those that have faced a cyberattack and those that will” – this needs to an immediate priority for the finance sector. While prevention should always be a weapon in companies’ security armoury, the ability to detect and respond to threats in real time is becoming essential.

In financial services, this capability is crucial to address insider threats. The financial services sector sees staff move frequently from one organisation to another. This represents a threat to data and the bottom line.

One in four employees surveyed reported taking data from an employer when they left a job, according to security firm Biscom. This puts client lists, trading algorithms, trading strategies, strategic plans and other data at risk. The ability to detect this kind of data theft is therefore essential.

Supply chain and third parties

Financial services firms are reliant on a large and ever-expanding network of third-party vendors and partners. And these relationships will continue to grow more complex as areas of business are outsourced.

While financial data, services and personally identifiable information may reside elsewhere, it remains the duty of the parent organisation to ensure outsourced data and functions are protected and processed in a safe manner.

And speaking of third parties, the proliferation of Internet of Things devices and sensors means data is now everywhere. This means there are more possible entry points into the organisation and its most valuable assets.

The regulatory environment

Financial services organisations also need to be conscious of the regulatory environment in which they operate. Whether it’s Sarbanes-Oxley, FCA or GDPR, companies must be able to document that they have operated in compliance with regulations, or face restrictions or financial penalties.

Being able to clearly track activity – and respond proactively to any deficiencies – is another reason a clear, holistic view of system-wide activity is crucial.

Financial services firms face an ongoing challenge trying to maintain an overview of where and how data is stored. The GDPR deadline may have passed, but many organisations are still on the path to compliance.

These are all important considerations for financial services organisations when it comes to cybersecurity. The stakes are very high for organisations in the sector. Data or money loss is one thing keeping security teams up at night. However, loss of reputation takes insomnia to another level. Clients don’t want to deal with a firm that has been in the news because of a security breach or compliance failure.