As we turn the corner on the year, what is the state of cybersecurity in financial services? We have culled through dozens of recent studies to examine that question and here is what we found.
Steve Morgan and Cybersecurity Ventures forecast cybercrime damages will rise to $6 trillion annually across the globe by 2021. Consequently, financial institutions have had to invest in cybersecurity in a way that mirrors their previous investment in physical security.
1) Security the top concern among community banks.
2) Financial services are 300x more likely to be attacked.
“Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” according to a report by the Boston Consulting Group. “Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”
A report by IBM X-Force Threat Intelligence Index supports this finding. By the end of 2018, the finance and insurance sector was “the most-attacked industry for three years in a row.” IBM says the financial services vertical accounted for nearly one-fifth (19%) of the total incidents and attacks across all vertical markets that year.
3) These four methods comprise more than 90% of cyber-attacks.
An annual security report by Akamai found that “94% of observed attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection.”
The same report notes that “50% of all unique organizations impacted by observed phishing domains were from the financial services sector.”
4) Most financial firms have had an incident recently.
A survey by the technology research firm Vanson Bourne of “100 senior business decision-makers” employed by financial services organizations in the UK found 70% have experienced a security incident in the last 12 months. Most incidents stemmed “from employees failing to follow security protocol or data protection policies.”
Other causes for security incidents “included the introduction of malware and viruses via 3rd party devices, including USBs and BYOD (32%), file and image downloads (25%) and employees sharing data with unintended recipients (24%).”
5) The volume of breaches continues to grow.
According to the Cost of Cybercrime Study in Financial Services: 2019 Report by Accenture, the average number of breaches grew by 13% to 152 in 2018 from 134 in 2017.
The same report revealed several other benchmarks:
a) Malicious insiders are the most expensive attack.
Malicious insiders were the most expensive category of attack to resolve. This type costs an average of $243,101, which represented a 44% increase over the previous year. Rounding out the top five were malicious code at $157,891; phishing and social engineering at $156,690; denial of service at $133,949; and web-based attacks at $84,954.
b) Malicious insiders also took the longest to revolve.
Attacks involving malicious insiders took financial services an average of 55.1 days to resolve. This was followed by malicious code which took 49.8 days; ransomware at 33.8 days; web-based attacks at 25.9 days; and phishing and social engineering at 24.3 days to resolve.
c) Cybercrime costs financial services $18.5 million annually.
The average cost of cybercrime per company in financial services was $18.5 million. That was higher than any other vertical market (utilities ranked second at $17.84 million) and considerably higher than the same average across all sectors which came in at $13 million.
6) The average security budget in financial services.
Financial institutions spend an average of .3% of revenue and 10% of their IT budget on cybersecurity, according to numbers tallied by the consulting firm Deloitte. That works out to about $2,300 per employee, across the 96 financial firms that took part in the Deloitte study, according to American Banker.
7) Banks will invest in managed security and integration services.
The banking community will invest more in security solutions than any other industry, according to a spending forecast by research firm IDC. When combined with the other top spenders – manufacturing and federal governments – they “will account for nearly 30% of all security spending worldwide.” IDC puts that number at an estimated $151.2 billion by 2023. The research says all three sectors, including banks, will invest more than 35% of their respective budgets in “managed security services and integration services.”
8) Better at detection than prevention.
A survey of 400 security professionals across financial services by the Ponemon Institute found the financial services industry is more “effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).”
The same survey found while most of the sector is concern about supply chain risks, less than half have put steps in place to mitigate the risk. Some 74% “of respondents were concerned or very concerned about the security posture of third-party software and systems.” However, “only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems.”
9) Cybersecurity deluge: hundreds of thousands of security alerts.
Anecdotally, security leaders at Mastercard told the New York Times they face upwards of “460,000 intrusion attempts in a typical day, up 70 percent from a year ago.” At one point, the credit card company showed the news organization a “wall of monitors” tracking 267,322 in a period of just 24 hours.
Research shows this isn’t an isolated case. A survey of banks conducted by the market research firm Ovum in 2017 found about 40% of banks get 160,000 duplicate, irrelevant, or erroneous cybersecurity alerts every day. These alerts are generated from an array of tools – about three-quarters (73%) of firms are running 25 or more tools.
10) Who the CISO reports to within financial services.
A survey of 277 senior executives by the consulting firm Infosys provides a glimpse as to the organization of security within financial services. Most respondents said the CISO reports to either the CIO (34%) or the Board (32%). The “information security council” ranked third (23%) and the numbers drop off considerably from there: head of audit (5%); COO (3%); head of risk (3%) and others (1%).
The comparison of physical security in banking is a useful analogy for understanding where we stand in terms of cybersecurity maturity. As Mr. Morgan says, “We are going through a natural evolution of cybercrime now – much like street crime and other forms of crime that evolved over long periods of time consistent with population growth.”
Note: Bricata has simplified the four critical capabilities financial services organizations need for comprehensive network protection: visibility, threat detection, threat hunting, and post-detection actions. If you’d like to see our solution in action, you are welcome to schedule a live demonstration.
If you enjoyed this post, you might also like:
A Review of Research Identifying the Top Cyber Threats Facing Financial Services