It should go without saying that a comprehensive information security strategy needs to be a critical part of any bank’s operations. Particularly in the current time, when criminal actors are becoming more sophisticated than ever in their attack patterns, it is incumbent on any financial institution to make sure its systems are well-defended and able to cope with the ever-evolving strategies used by hackers.
But are you sure your bank is truly able to meet the demands of today’s landscape? A new report from Accenture has suggested that for many banks, confidence in their defenses is high. However, this faith may not always be justified.
Banks satisfied in their plans
The report, entitled Building Confidence: Solving Banking’s Cybersecurity Conundrum, revealed more than three-quarters of executives (78 percent) expressed confidence in their strategy, while more than half expressed high levels of satisfaction in their ability to identify the cause of a breach, measure the impact of such an incident and manage the financial risk to their company.
On the face of it, this can be seen as good news for the industry, as it suggests banks are aware of the risks they face and have a good understanding of what needs to be done in order to counter the threat of criminals.
But as the nature of threats is continually evolving, could this confidence actually be complacency? Accenture warned that in many cases, the effectiveness of banks’ cyber defences may not be fully known, with the consultancy firm highlighting a lack of real-world testing as an issue that needs to be addressed by the industry.
Shortages remain in skills, testing
The report warned that many organisations do not have a comprehensive strategy for testing their defenses, which may mean there are gaps in banks’ solutions they are unaware of. Accenture found, for example, that banks are subjected to an average of 85 serious cyber breaches every year – aside from the daily phishing and malware attacks that all companies have to deal with. The recent WannaCry malware event highlights how all it can take is one successful phishing attempt to cause huge amounts of chaos.
Of these serious incidents, more than a third (36 percent) successfully obtained information from the target. What’s more, almost six out of ten banks (59 percent) admitted it took them several months to even detect that a breach had occurred.
This may indicate that many executives’ confidence in their cyber defenses may be misplaced. The fact so many breaches went undetected for so long highlights the importance of an effective testing regime that can plot any weaknesses in areas such as breach detection.
Banks may also need to do more to ensure they have the right personnel on hand to manage these activities, as Accenture’s’ study found several areas where financial institutions currently have significant skill shortages, including endpoint/network security (61 percent), incident response and vulnerability management (both 53 percent).
Employees are the key
Banks therefore need to educate their staff at all levels of the organization, both in terms of ensuring they’re able to spot activities such as phishing attempts, and to provide them with the skills they need to help defend their organization from both internal and external threats.
Chris Thompson, senior managing director and head of financial services cybersecurity and resilience at Accenture Security, said that traditional approaches that prioritized building “higher, more secure walls” may often be detrimental to banks’ internal capabilities. “While defending the perimeter is crucial, it’s often the people inside the walls that present the biggest risk, but also the biggest weapon in the fight for resiliency,” he continued.