Among the most mature for cybersecurity, the financial system still has a long way to go

Based on data from eight years of work assessing cyber risks in hundreds of companies across many sectors in dozens of countries, it is clear that the financial sector is one of the best prepared for attack, reflecting years of improvements and investment. But, while only lagging behind the industrial, electronic and manufacturing sectors, the financial sector still has a lot of work to do, as we find in our soon-to-be-published research.

Not only does the financial sector need to protect the private details of millions of people, and keep operating until other businesses do, but an attack on it could also cause panic and chaos in global markets, undermining overall stability. In fact, US Federal Reserve Chairman Jerome Powell has said that cyber attacks are his biggest fear. “That’s where I would say the risk is now, and it’s not something like the global financial crisis,” Powell said.

In order to assess the maturity of cybersecurity in the financial sector and many other sectors, we examined data and inside information we’ve collected from hundreds of real-world cybersecurity assessments we’ve conducted globally, scoring each sector on seven key elements of cybersecurity. The methodology was based on the US Department of Defense Cyber ​​Security Maturity Model certification, which is used to assess potential government contractors, giving them scores ranging from 0 to 5.

Overall, we gave the banking and financial sector a score of 2.2, which is relatively low when the highest possible score is 5; But no sector scored above 2.5, and most came in below 2, which again reflects the progress and relatively good standing of the financial sector. Here are some reasons behind the financial sector score and some ideas for improvement.

Is compliance sufficient?
The financial services industry is one of the most stringently regulated, and in recent years it has faced increased additional legislation related to cybersecurity. The industry has increased spending significantly, in part to comply with these regulations. There is, in fact, some correlation between cybersecurity readiness and the stringency of regulations; For example, strict privacy regulations offer some explanation for why our research found that Germany was the most mature country in terms of public cybersecurity. However, compliance, while it helps, is not enough; Banks and financial institutions are still under attack.

This helps in understanding the actual and real risks, including who the potential hackers are or the types of cybercriminals who might attack. This requires a combination of insight – the ability to monitor and understand the scope of communications and digital assets – and threat analysis. Banks appear to be on the right track to improvement in this area: our research, based on our evaluations of hundreds of organizations, has found that banks and financial institutions are leading the way when it comes to security process monitoring and incident response, with departments and staff mostly dedicated to this. But it is increasingly important that these teams are designed around the most important and relevant threats. For example, with state-backed attacks on the rise, these teams must include professionals with experience in military or government cybersecurity.

While compliance may encourage the development of specific policies and procedures to respond to and mitigate risks, these procedures prevent or reduce the harm from attacks only if the company has a full view of potential attack surfaces and avenues and has the talent to respond effectively. Lack of adequate and proactive visibility is the main root cause of cyber vulnerabilities that criminals can take advantage of.

Where the banks really lag behind
The financial sector was among the lowest in the application security category. This stems in part from the extensive use of online banking and financial services and mobile applications since the onset of the COVID pandemic; Many organizations have struggled to maintain the speed of their security measures as they have seen rapid growth in digital users. As many people are accustomed to simplified online experiences and expectations that they can handle all their wealth with just a few clicks on their mobile phones, banks have faced challenges balancing good user experiences with security measures.

But solutions are emerging, including a growing number of independent verification and security tools that run in the background to evaluate users without affecting their experience. It is also likely that consumers will start adopting increased security measures, such as multi-factor authentication, especially as other sectors are pushing for such steps. But in any case, this is where the banks sorely need improvement; To find creative ways to deliver safe and easy-to-use experiences. It should be noted that the sector that got the best results in this category was online gaming, as it sees its applications as absolutely essential to its core business – it is in fact the main product. Banks also need to start thinking this way; To see their applications as core assets of their business is just as important as any other major company, such as intellectual property or capital.

War games and exercises raise public awareness
Israel, along with the International Monetary Fund, recently led a 10-day simulation of what would happen if global financial systems were subjected to a major cyber attack. At least 10 countries participated in this first of its kind war game. We need to see more similar exercises fundamentally because it raises public awareness and provides a place to learn how governments and the private sector can work together to reduce harm, especially as threats from state-level actors continue.

Having said that, individual companies should not base their security decisions on simulation, but on understanding the real risks and how to translate cybersecurity risks into business risks. Indeed, businesses, including banks and financial institutions, must be vigilant about conducting routine ethical hacking tests on themselves, not only to meet standards and regulations and create long lists of vulnerabilities, but to see if their defenses are focusing on the places that are most important to their business. . When looking to implement any of the new and promising cyber security solutions and tools that are increasingly emerging to protect large organizations such as banks, organizations need to make sure that they prioritize the protection of those assets that are most critical to their business.

As the attacks continue, the risks are only increasing for financial institutions. At the individual business level, the price tag for attacks is high in terms of reputational and money damage, especially since cybersecurity insurance providers are likely to reduce their coverage, or at least raise premium rates, in the coming year. But on a macro level, protecting against attacks, or at least mitigating the damage caused by attacks to the financial system, is increasingly essential to global stability. It is no longer enough to be among the best prepared sectors, especially when they all have a long way to go and the stakes are so great.


Leave a Reply

Your email address will not be published.