In June 2015, Websense reported that the rate of attacks against financial services firms is four times higher than companies in other industries. It’s not surprising why hackers target these companies; that’s where the money is. That’s where the information is. When a hacker succeeds in attacking a bank, he or she could access customers’ personal information and defraud them, too.
In spite of the frightening statistics, financial services security experts actually feel more confident about their security. At least, more secure than a year ago. What comes as an even greater surprise is that they’re using fewer security solutions than last year.
Last year, we studied organizations across several industries in 12 countries to access their security resources, capabilities, and sophistication. In total, the report, entitled The Cisco 2016 Security Capabilities Benchmark Study, surveyed more than 2,400 security professionals, including chief information security officers (CISOs) and security operations managers in Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Russia, the United Kingdom, and the United States. We then analyzed IT security capabilities in the financial services industry, using comparative data from the study, and discovered an interesting dichotomy between what these security professionals say and what they do.
In 2014, 66% said their systems for detecting network anomalies and defending against shifts in threats were highly effective; in 2015, that number rose to 76%. In 2014, 67% said that security tools for determining the scope of a compromise were highly effective; that number rose to 74% in 2015. These figures stand in stark contrast to security professionals’ behavior as measured by their use of tools.
Financial services organizations are actually decreasing their use of tools to help detect and block threats. In 2014, 57% of survey respondents said they used access control and authorization tools, but the number dropped to 48% in 2015. During that same year, 43% said they used network forensics tools, while only 32% used them in 2015.
What accounts for this duality? There’s a mindset shift underway among financial services security professionals.
Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats. They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks. Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.
Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:
- Turning to outside help: Our research shows that many financial sector CSOs understand the limitations of internal staff expertise. They’ve begun turning to external security experts to shore up cracks in their defenses. Thirty-seven percent of CSOs in the financial services industry said they have brought in outside help for security issues because they felt their internal pool of knowledge wasn’t strong enough.
- Training employees to be the first line of defense: Security professionals in the financial sector recognize that when it comes to protecting their firms, employees can be an asset in the fight against cyber attacks. Forty-four percent of CISOs stated that they’ve increased the amount of security awareness training employees receive. They’ve also boosted their investments in training for security staff. When everyone at the company understands that security is a priority and what they can do to keep the firm safe, security professionals sleep better at night.
- Viewing security as a company-wide issue: Security professionals in the financial services industry are learning that they have to make everyone at their organization aware that security affects the entire firm. For too long, members of the C-suite viewed information security as a cost center rather than a business driver. Persuading the rest of a firm’s leadership that security can boost profits rather than decrease them can be an uphill battle, but CSOs know that keeping their companies safe is a top company-wide priority and needs to be treated as such. Fortunately, many financial services firms are successfully implementing this ideal. Our study also showed that line-of-business managers in financial services are taking more responsibility for security. In 2014, 46% of respondents said that their line-of-business managers contribute to security policies and procedures; in 2015, that number rose to 59%.
Overall, this mindset shift is a positive development. CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses. They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part. Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner. Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them.