And there is more. In Part 1 of ‘The people vs. technology: your greatest form of defence’, we explored the fact that investing in technology isn’t enough, having a smart people strategy plays a critical role in protecting FIs from cyber security hacks. In our assessment we highlighted that actually over 90% of all data protection breaches are caused by human error.
In the second part of this blog series, we will look at how, instead of what banks should invest in security technology infrastructures to reveal the full truth and nothing but just that.
Follow due process
Today Cyber security criminals are highly sophisticated. Up to £650 million has been stolen in approximately two years (2013-2015) from FIs worldwide, despite the increases in spending to combat it. Analysts even predict worldwide spending on cyber security products and services will reach over $1 trillion during the next five years. However the success of technology investment will depend on how security controls, operational processes and procedures are integrated with these IT systems.
In our view, IT systems and departments must understand the organisation’s security needs and appetite for risk to enable effective prioritisation of technology improvements or implementations. Considering the dynamic nature of cyber security threats – this approach provides a context for IT expenditure, enabling alignment to current and emerging threats.
One of the key operational processes FIs should look to align cyber security technology investment to is operational risk. Technology that enforces and integrates the 3-lines of defence control framework will drive sophisticated detection of risk events, risk analysis and action tracking, internal and external audits and group and board level oversight of the FIs cyber security profile. To establish a comprehensive framework, disaster recovery and business continuity planning processes should also be clearly mapped, defined and integrated into an institution’s combined operational and cyber risk technology strategy.
Handle the evidence (the data) with care
Successful cyber security software and technology implementation also hinges upon the evidence that feeds and models it; or in other words the data. Good data management, automated data feeds, monitoring and analytics act as inputs to the early warning mechanisms identified by systems, processes and controls. An integrated data management system that is able to access risk data from numerous operational risk management and cyber security applications and operational sources such as fraud management systems can drive real-time reporting and enable early detection.
Good data also makes way for strong analytics, identifying unpredictable new patterns and relationships. It also provides insight into how FIs can and should prioritise IT security investments to create an intelligence-driven approach to investment.
It’s time to collaborate
In the past FIs have taken a solo approach to combatting the risks of cyber security. However recent studies suggest that teaming up with other FIs to tackle the issue at an industry and international level could have substantial benefits and help drive effective technology investment too. Financial Services Information Sharing and Analysis Centres (FS-ISACs) are encouraging collaboration on critical security threats facing the financial services sector by sharing threat intelligence.
ome other effective collaborative activities beyond increased information sharing include partnerships centered on increasing better card security technology and maintaining the trust of customers. All of which mitigate the impact that cyber security threats are having on the industry.As Dan Schutzer, Senior Technology Consultant at BITS a financial services thought leadership firm explains, “Cyber risks are not self-contained within individual organisations, or industries, and cyber risk management is not simply the aggregation of local technology and procedures in each organization. Organisations are exposed to outside risks through increasingly complex, tightly linked and interconnected networks and systems with counterparties, partners, suppliers, vendors and outsourcers. Poorly understood disruptive technologies applied to infrastructure further complicate matters.”
So, the verdict?
The full truth is that there is no one standalone tactic or solution for reducing the impact of cyber security attacks on Financial Institutions. In fact, it is more a seamless and delicate interplay between improving how your organisation runs, the people who run it and the technology that underpins it.
Before spending the big bucks, financial institutions wanting to make their organisations more secure and fail-proof against cyber security attacks must ensure they have a clearly designed framework and strategy that provides direction and interconnectivity between organisational, people and technology change. The perspective on all these moving parts must be homogenous and the execution must be well defined through a strongly communicated strategy.