Once again the topic of the day (or at least of the past two weeks) is cybersecurity, and once again the news is dreadful. The Petya ransomware attack only continues the negative trend.
Recent reports of surveys involving financial services, merchants, and government agencies indicate continued onslaughts by cyber criminals, under-preparedness by their targets, and over-confidence by those same targets.
True, some of these reports feature some signs of improvements in preparedness by the legitimate entities. But the improvement proves to be only marginal.
Time to wade in, first regarding banks and financial services in particular.
Price tag to resolve an incident is unbelievable
A Kaspersky Lab report on the financial sector shows that a cybersecurity incident involving a bank’s online banking services costs the organization $1.75 million, on average. The report indicates that 61% of cybersecurity incidents affecting online banking come with additional costs for the institution targeted. These include data loss; the loss of brand/company reputation; leakage of confidential information; and more.
“In the banking sector reputation is everything, and security goes hand-in-hand with this,” says Kirill Ilganaev, head of Kaspersky DDoS protection. “If a bank’s online services come under attack, it is very difficult for customers to trust that bank with their money, so it’s easy to see why an attack could be so crippling.”
State of the protective arts
Ovum polled top financial services security executives of very large organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific. Some of the take-aways:
• 73% of respondents are running more than 25 cybersecurity tools—and 9% are running more than 100.
• Of the total respondents, 37% are dealing with more than 200,000 daily security alerts.
• Of the total respondents, 47% said only one in five alerts is unique (i.e., refers to a unique security event).
• Of the financial institutions surveyed, 67% believe they need better, not more, security tools.
• Cloud adoption will make managing cybersecurity even more arduous.
Ovum’s conclusion: “Each new malware or attack style throws up a new challenge that can only be addressed by deploying yet another new security tool. However, the resulting complexity is itself a security risk, as security operations center teams spend their time patching holes, racing against time to close security gaps. Security silos also raise the potential of cybercriminals locating a weak point in the infrastructure that they can use to infiltrate an enterprise.”
How bank business customers fare
Now to businesses, and retailers and merchants in particular—stakeholders in the payments chain that ties them to banks.
American Express points out in a survey that of merchants that have both ecommerce and physical retail operations, 81% view online and mobile sales as the channel with the biggest growth opportunity. Yet, in the same report, 37% of consumers say they have abandoned an online purchase because they did not feel their payment would be secure.
Also, 73% of merchants say their level of fraudulent online sales has increased or remained the same over the past year.
“For merchants to capitalize on consumers’ continued shift to online and mobile and mobile commerce, they need to provide their customers with the confidence that their information is secure,” says Mike Matan, vice-president, industry engagement, produce, and marketing, Global Network Business, American Express.
A Deloitte poll of 400 security officials in consumer businesses found that 76% were highly confident in their ability to respond to a cyber incident. And yet:
• 82% have not documented and tested cyber response plans involving business stakeholders within the past year.
• 46% say their organization performs war games and threat simulations on a quarterly or semiannual basis.
• 25% report lack of cyber funding.
• 21% lack clarity on cyber mandates, roles, and responsibilities.
“We found that just 30%-40% of companies investing in platforms such as consumer analytics, cloud integration, connected products, and mobile payments have mature programs in place to address related risks,” says Barb Renner, vice-chairman, Deloitte.
Juniper Research weighed in with the screaming headline: “Retailers to lose $71 billion in card-not-present fraud over the next five years.”
Granted, this is globally, but still.
Governments also affected
Then there is the government. Perhaps most damning is a report from ACL, a risk management software provider based in Canada. Its 2017 Fraud Survey, in which it surveyed more than 500 government agencies and private companies in the U.S. and Canada, contains this finding:
“Fraud in government agencies is estimated to cost taxpayers more than $136 billion each year, and that’s just from improper payments,” says Dan Zitting, chief product officer at ACL. And this, specifically, applies to U.S. taxpayers. It cites a 2016 report by the Association of Certified Fraud Examiners.
More to ACL’s survey results: Less than one third of government respondents said the majority of fraud is detected. Also, less than 30% of antifraud recommendations are fully acted upon by government agencies.
“It is clear that the public sector remains highly susceptible to fraud, and that many agencies are neglecting to take the necessary action to fulfill the public’s trust,” says Scott Robinson, director, public sector, ACL.
In mid-June, CompTIA awarded its annual Excellence in Cybersecurity Awards, which recognize members of Congress and federal agency program managers who make strides in using federal resources to improve cybersecurity skills of those who work for the U.S. government. Recipients this year were Rep. Jim Langevin (D-R.I.), Sen. Mike Rounds (R-S.D.), and Lisa Dorr, director of IT Workforce Development at the Department of Health and Human Services.
Yet even as these were duly recognized, CompTIA announced results of a poll of government IT professionals. These include:
• 80% say cybersecurity consumes more of their time than just one to two years ago.
• 87% predict the cyber-threat landscape will only get worse.
• 76% believe the government should offer more competitive salaries and flexible work arrangements for its technology workers.
• 72% say the government should do a better job of identifying and promoting career pathways for civilian and military government cyber professionals.
Bright spots on a bleak background
One positive in this sad stew involves the public-private organization that 7,000 banks participate in—the Financial Services Information Sharing and Analysis Center.
Following the May WannaCry ransomware attack, this organization responded quickly with real-time information and tools to combat and mitigate it. A recent recap of that effort describes FS-ISAC as “a virtual neighborhood watch of sorts.” (As of this writing, FS-ISAC has said nothing about the recent Petya ransomware attack that appeared in Europe, although no doubt it is on its radar behind the scenes.)
There is more good news. Trustwave issued its 2017 Global Security Report. Some results:
• The median number of days from an intrusion to detection of a compromise decreased to 49 days in 2016 from 80.5 days in 2015.
• The median number of days from detection to containment was 2.5 in 2016.
• However, the median number of days from an intrusion to containment of a compromise stayed relatively the same at 62 days in 2016, compared to 63 days in 2015.
As always, the big question is, what can be done?
Gartner seeks to answer this with a lengthy laundry list of new technologies coming online for information security. They are worth reading about in the document cited below. These technologies include cloud workload protection platforms, endpoint detection and response, network traffic analysis, microsegmentation, cloud access security brokers, and more—11 in all.
“Security and risk leaders must evaluate and engage with the latest technologies to protect against advanced attacks, better enable digital business transformation, and embrace new computing styles,” says Neil MacDonald, vice-president and Garner Fellow emeritus.
On the horizon
But back to the Ovum study mentioned above. Two of its main takeaways might point the way forward more clearly:
• An open source communications fabric that simplifies integration of disparate security tools and enables sharing of threat data is essential.
• There has been a clear shift in the decision-making process for cybersecurity initiatives, with teams outside IT such as fraud, compliance, risk management, operations, and line of business all now taking part.
In other words, instead of just piling on solution after solution, find ways to make them all work together—and make cybersecurity everybody’s job and include everybody on the team.
Sources for this article include:
- Look Before You Leap: Key Considerations for Moving to a Digital-Only Model
- Disruptions Past, Present and Future Raise the Existential Question: “What Are Banks For?”
- Study Links Credit Card Offer to Bank Choice
- What Banks Can Learn From the United Capital Acquisition
- What the Win-Win Partnership Between Apple and Goldman Sachs Means for Payments