Adoption of the latest innovations have opened financial services to increased cyber risks, according to a new Deloitte Center for Financial Services report.
In 2013 financial services topped the list of 26 industries that cyber criminals most targeted. Not likely to take it idly, financial services have put great investment behind their security defenses and made great efforts to comply with industry standards and regulations.
At the end of the day, finds Deloitte, the results of this strategy are humbling. In 2013, an annual investigative report on data security by Verizon found a staggering 88% of cyber attacks are successful in less than one day. But in the same time period, only 21% of firms are able to discover attacks, and just 40% are able to restore their business.
Given the dismal figures the report's authors liken the security strategy a game of cat and mouse; A constant pursuit to fortify the vulnerabilities revealed by cyber criminals met with more diverse methods of attack, forcing each side to perpetually adapt their offensive and defensive tactics.
Cloud, mobile, web and social media adoption increase the opportunities for attackers, according to the report. "Similarly, the waves of outsourcing, offshoring, and third-party contracting driven by a cost reduction objective may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystem within which financial services companies operate, and thus a much broader âattack surfaceâ for the threat actors to exploit.â
An Evolved Strategy
"Fundamentally, it is time to shift gears in the response to this topic," says Vikram Bhat, principal with Deloitte & Touche LLP and the leader of Deloitteâs cyber risk services team, co-author of the report. "In order to move forward we need a more functional way."
To effectively predict, mitigate and recover from cyber-attacks across the growing ecosystem Deloitte says firms need to evolve their cyber security positions to a âsecure, vigilant and resilientâ approach.
Security: Preparation for known threats through risk-driven investment in foundational preventative controls and policies. Traditionally, this has received the bulk of focus, but preventative technologies, alone, are as unlikely to adequately meet challenges ahead as they are to the challenges today.
Vigilance: Detection of emerging threats and patterns with early detection and signaling systems. This can be an essential step towards containing and mitigating losses, the authors report, adding "Incident detection that incorporates sophisticated, adaptive, signaling, and reporting systems can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis."
Resilience: Perhaps the most critical, the ability to quickly recover normal operations and minimize damages. "Robust crisis management processes can be built with participation from various functions including business, IT, communications, public affairs, and other areas within the organization," according to the report.
To achieve all three "secure, vigilant and resilient" aspects in a cyber risk management model there must be two overarching elements: Threat intelligence and enterprise collaboration.
A study from the Ponemon Institute found âActionable intelligenceâ - or the derivation of meaningful insights about adversaries from a wide range of sources - within 60 seconds after a successful attack would be sufficient to reduce the cost of compromise by 40 percent. According to Bhat, the delta of vigilance and responsiveness is where the battle is going to be fought over the next year.
In addition, Bhat adds that while many attacks have a technology side to them, they can impact various aspects of the business like brand or customer satisfaction - an altogether deeper impact than disrupting a critical machine or service - so it is important that business executives, not just IT, are a strategic part of the recovery process.
This cyber security game is a continuous attack, concludes Bhat, "It is important institutions not take an inward looking approach to this and work within the ecosystem. They must be partners in developing solutions around this issue."