Financial Services Organizations Are in Need of a Cyber Security Wake-Up Call

Posted on July 07, 2017 by Tony Kontzer

There's little to suggest that the money you've entrusted to the financial institutions you do business with is in jeopardy. But the data surrounding that money? That's another story.

Financial services companies are braced for a period of continued and expanded cyber threats, and the really bad news is that many of them aren't prepared to withstand the onslaught. Recent surveys paint a picture of an industry that sees the writing on the wall but often finds itself working with the technological equivalent of whiteout.

At the NACHA Payments 2017 conference in Austin in April, TD Bank polled nearly 400 finance professionals and found that more than 9 in 10 believe payments fraud will be a bigger threat over the next two to three years. What's more, nearly two-thirds said that either their organizations or one of their clients was on the wrong end of a cyber security event in the past year, with the most-cited incidents being business email compromises (20 percent), account takeovers (19 percent) and data breaches (15 percent).

This, despite the fact that financial services companies have been investing heavily in cyber security technologies in recent years, and often work closely with security firms in developing those tools. The only logical conclusions are that there's either something amiss with the tools that financial services companies are acquiring, or those tools aren't being deployed properly.

Another recent survey, conducted by Ovum for McAfee, suggests that the latter is more likely. In polling high-ranking decision makers at many of the world's largest financial institutions, Ovum found that 73 percent of those organizations are running at least 25 security technologies, resulting in a sort of cyber mosh pit that lacks integration and can lead to slower responses and general ineffectiveness. Often times, those technology smorgasbords leave obvious weak spots by not protecting productivity tools that have traditionally been seen as low-priority targets but have become more attractive in recent years.

And as Rob Wainwright, director of Europol, reminded attendees at this year's RSA Conference in San Francisco, the bad guys have been matching—or even exceeding—the innovations in the security world with a combination of collaboration and collective creative thinking.

"This is a criminal infrastructure the likes of which we've never seen before," Wainwright said during an RSA Conference panel.

To that point, TD Bank's Rick Burke agrees that the bad guys have been emboldened, and are discovering new points-of-entry — such as those productivity tools — every day.

"Companies need to be mindful that everyday tools from email to the Internet can pose risk to payment operations, and the criminal toolbox is expanding," Burke, head of corporate products and services, said in the press release announcing TD's recent survey findings.

And it's not as if financial services companies haven't known they had this issue. Risk management firm SecurityScorecard's 2016 Financial Industry Cyber Security Report, published last August, found that 15 of the 20 top commercial banks in the U.S. were infected with malware at the time, and that 19 of those same 20 banks received a network security grade of "C" or worse.

What this tells us is that too often, financial services have been resting on their laurels by relying on a patchwork of technologies to protect their data assets, but that this approach fails to take into account just how fast the threats they face are evolving.

In its 2017 Cybersecurity Outlook for Financial Services Organizations report, managed IT services provider Synoptek argues that simply addressing security hygiene through things like consistent patching, proper support of SSL, or improving network and application security is not enough. Rather, Synoptek recommends that financial services companies think more strategically as they attempt to counter fast-changing exploits.

"Financial services institutions must incorporate network security and information privacy into their overarching risk management strategies," the report reads.

Just as troubling as all of this is another recent survey finding that indicates customer perception of security in the financial services sector has actually worsened over the last year. The Online Trust Alliance's 2017 Online Trust Audit & Honor Roll found that just 27 of the top 100 banks made the alliance's honor roll, down from 55 percent in 2016. The OTA cited increased breach activity, low privacy scores, and low levels of email authentication as causes for that drop-off.

As the saying goes, perception is reality. If the financial services industry wants to regain the public's trust and avoid being the subject of frequent breach headlines over the next couple of years, all indications are that it will have to step up its game. Not only does every financial services provider need to approach its cyber security technology decisions holistically, and with integration as a top priority; it also must take a hard look at every area of its business that's potentially affected by cyber threats.

And as if that hasn't become clear enough, in 2017 that pretty much means every last thing.

Contributors

Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.