It can also no longer be defined only as threats to ‘computers’ as hacks of mobile payments and other non-traditional payment systems are also on the rise, posing a major threat, especially to the banking industry. As the fastest growing non-government cyber security market, no industry has felt the pain of cyber-attacks more than financial services firms, which are hit by security incidents 300 times more frequently than businesses in any other industry.
Financial services giant JP Morgan plans to spend half a billion dollars on cyber security this year alone, following a serious breach in 2014 which exposed the contact information of 76 million US households. This kind of investment could seemingly be nothing compared to the Bank of America, whose CEO Brian Moynihan last year stated that cyber security is the only place in the company without any budget constraints.
Whilst it’s promising that the industry is taking cyber security seriously and it’s got the cash to back it up, it’s equally important that investments are made wisely. Without a wise approach to spending, big monetary investment will not always equal big rewards.
Redefining the approach to spending
Today banks and financial services firms are largely spending this investment on more secure technology, which although expensive for global banks, for their small and mid-sized peers such spending could cripple their operations, rendering them even more exposed to cyber-attacks. Many banks have also chosen to spend the big bucks by investing in cyber start-ups who promise to provide “next-generation” technologies. However, this has also not proven to be the most fruitful approach as in recent years these new ventures have been struggling to gain traction. Earlier this year, Promod Haque senior managing partner at Norwest Venture expressed these sentiments by stating “Investors are looking at balance sheets and saying, ‘You raised $100 million and you have nothing to show for it?”” All this again showing that big monetary investment will not always equal big rewards as far as cyber security is concerned.
So what is a bank to do? How are they to spend?
Over 90% of all data protection breaches are caused by human error
Undoubtedly it makes sense for banks to invest in the right technology, but if the general consensus is that cyber-attacks have become so sophisticated they are almost impossible to prevent, the question becomes more how and where to spend rather than what. There is a link in the chain that mustn’t be downplayed, but yet has the capacity to make the biggest difference before and after an incident has occurred - the people.
Cultivating the right attitudes and behaviours
A large proportion of data protection breaches are caused by human error – over 90%. As identified by The Information Commissioner’s Office during some investigations carried out last year, people are the weakest link in the chain. Marc van Zadelhoff, General Manager at IBM Security, also commented on the state of cyber security last year saying, “I think that not enough attention is being drawn to the careless exposure of data by internal mistakes—which happens quite often, even when there are no malicious actors prompting it.“ Likewise, a study carried out by the Ponemon Institute in 2015 found that the factor with the highest impact on the per capita cost of a breach is actually employee training. It’s evident that there is value in banks and the financial services industry at large investing in effective ways to educate and train their people. This kind of evidence can’t be ignored and appropriate measures should be adopted at every level of the organisation. Research undertaken by PwC for its 2015 Global State of Information Security Survey found that only 25% of directors are actively involved in reviewing security and privacy risks and this kind of leadership will not be helpful for the rest of the organisation. Behavioural changes to cyber security will have a great impact, but will need to start from the top.
Employing the role of the CISO
There’s no better way to start from the top, than to develop management through adopting and expanding the role of the CISO (Chief Information Security Officer) across banks and financial services organisations. The CISO role, separate and distinct to the traditional CIO (Chief Information Officer), is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organisation and it’s well worth having one.
Central to the role is the information technology and security education of the workforce and with communication being a strong emphasis, the impact of the CISO could not only be felt in a strategic sense amongst the executive team and board members but could send lasting tremors of change across a banks’ stakeholders including the employees, customers and strategic partners. This role like no other in an organisation has the potential to drive the greatest changes to cyber security culture, skills and attitudes.
Keeping and developing the right skills
A successful CISO can’t work alone. Recruiting the right talent and developing the right skills is another critical investment. Even finding a CISO with the appropriate levels of tech-savvy skills can be a challenge today. From a global perspective, for every 40 open positions in the cyber security industry, there is only one qualified resource. As hard as it is to find and keep talent due to the scarcity of resources, it is, therefore, critical that banks are able to invest in holding onto them through competitive remuneration and continual development of skills that match the ever changing face of cyber threats. In addition, it’s worthwhile helping existing ordinary IT staff to upskill, enabling them to shift into IT security and bolster the capability. This approach to hiring from within is likely to ensure that a cyber security team have the organisation’s culture and attitudes already embedded as driven and communicated by their CISO. Additionally, why not invest in developing the skills and education of STEM (Science, Technology, Engineering and Mathematics) graduates, students and school leavers – the next generation of cyber security professionals. With young people nearly three times more likely to be unemployed than the rest of the UK population, banks could be missing a trick here. With more than 2.5 million incidents of cybercrime in the UK last year alone, it could be well worth it.
The revamp is now
It can’t be said in any other way, it’s time to revamp approaches to cyber security and address the effectiveness of how budgets are being utilised. The stakes are too high not to do so and the potential to waste millions could become a reality for financial services firms around the world. Whilst technology investment is undoubtedly a piece of the puzzle in the formation of a “defensible architecture”, without a smart people strategy it could all come to dust. Banks can also begin mobilising and designing programmes and projects that fundamentally focus on embedding a culture of change and the implementation of these people strategies.
Developing an integrated and holistic view of cyber security across the organisation is at the root of this underlying premise to invest in the chain’s weakest link, of which addressing the skills and attitudes of the people within the financial services industry is a key component. People are the enablers and protectors of your monetary investments and they could very well be your greatest form of defence.
Read Part 2 which focuses on ‘how’ rather than ‘what’ to invest in cyber security technology.