Creating a culture of cybersecurity in Financial Services

By Martin Landless, Vice President for Europe at LogRhythm

As the financial services sector increasingly moves online and reaps the benefits of the modern digital economy, the sector has become an even more tantalising target for cybercriminals.  Financial data is among the most lucrative data types for cybercriminals, going for high prices on the Dark Web or used to access accounts, copy payment cards and make fraudulent purchases.

For any business which suffers a successful cyberattack, the consequences can be severe. A halting of business processes whilst the business gets up and running again can impact the bottom line, negative media attention can dent customer confidence, and the potential for a large General Data Protection Regulation (GDPR) fine can derail existing plans for business growth.

These consequences will be front of mind for financial services leaders now, as the sector has found itself in the crosshairs even more so during the current pandemic. Recent data from VMWare indicates that cyberattacks against the financial sector increased by 238 per cent from February to April 2020, with cybercriminals looking to take advantage of the tumult to steal valuable data.

Although financial services institutions find themselves under attack more frequently than ever, it is still possible to remain at the forefront of the digitalisation of the industry and remain secure. Doing so relies on a three-pronged approach, with people, processes and technology all working in concert towards ensuring cybersecurity. Through a holistic approach, a culture of cybersecurity can be created that protects institutions.

Security maturity

Given the sensitivity of the data they manage, financial services organisations must have a mature security operation model in place to deal with threat actors. Security operations maturity is measured based on two variables: mean time to detect (MTTD) threats and mean time to respond (MTTR) to them.

A reduction of both MTTD and MTTR is crucial to ensuring cyberattacks are halted earlier in the threat lifecycle, and is reliant on technological solutions which allow for the automation of workflows. This frees up vital time for security teams to focus their attention where it is most needed. Indeed, a recent survey of security professionals and executives found that 47 per cent[1] of those surveyed felt that they needed increased security teams, so anything that can maximise the effective time of existing cybersecurity personnel is a huge benefit. Visibility across networks and systems is also key, as cybersecurity teams must be able to immediately see shifts in behaviour in the network to recognise imminent threats as they arise.

Although technological innovation in security response is a strong foundation for an effective culture of cybersecurity, this must be complemented with processes and security training for employees.

Ensuring cybersecurity is a board-level issue

It is the responsibility of the CISO and the security team which works under them to ensure that security is front of mind for all employees. A chain is only as strong as its weakest link, and it only takes one employee falling victim to a phishing email to compromise a business. CISOs may be senior figures in a business, but they need the support of the rest of the C-suite to fulfil their goals. At the board level, CISOs must ensure that executives are aware and fully understand the challenges security teams encounter day to day and the longer term[2].

This then becomes a matter of communication rather than technology. One potential means of communicating security posture to the board is by focusing on the benefits and return on investment an effective security posture can entail. Additionally, a CISO can furnish a high trust environment through partnering a member of the board with the security team.

This partner can articulate perspective to the team from a purely business standpoint, allowing the team to produce intelligence to the board that exhibits the business value of the security operation centre’s (SOC’s) methods and goals. This collaborative approach will encourage the understanding security teams have for business goals and the board’s understanding of security necessity.

Growing security alongside the business

One area of understanding between security team and leaders that should be nurtured is the impact of business growth on security. Although business growth indicates that a business is in robust health, it also facilitates multiple avenues through which a company can come under cyberattack.

Firstly, don’t assume cybercriminals aren’t keeping an eye on the markets and on the business pages. They’ll be aware of a company’s raised profile and whether they’re now a more lucrative target – or not. Positive business events like mergers and acquisitions can also present opportunities for cybercriminals. On a tech level network and security systems of different companies may be in the process of being migrated and integrated, and on a more human level, new staff, as yet unaware of the security protocols of the company they’re joining, can be targets.

It’s important then that security teams ensure each new employee is vetted, safely added to the system and trained on appropriate security protocol. In the case of acquisitions, security teams must effectively monitor new structures that are added to the network, and third-party connections with whom they are not yet familiar. A Gartner study earlier this year identified third-party cybersecurity risk as a key concern for half of legal and compliance leaders.

This is all easier said than done however, and key to this issue is security budget, and it is here board-level support is important. Security budgets are often determined in advance and follow two common pricing models used by security vendors: the user-based model and capacity-based model. In the face of growth, both are fixed, and may leave security teams making difficult decisions as to where they safeguard their organisations.

Executives should instead look for security vendors which offer a subscription-based model. This offers the guarantee of scalable security at a determined rate, which will greatly alleviate the stress felt by security teams in what often should be an exciting time for an entire organisation.

Changing security budgets to better facilitate the work of SOCs represents a culture of cybersecurity being put into practice. Technological solutions are provided based on an understanding between security teams and the board on what is needed, allowing for better performance in MTTR and MTTD.

Security posture needs to be fixed now

Covid-19 has heightened the risks faced by cybersecurity teams and financial services organisations, and now, more so than ever, is it vital to foster a culture of cybersecurity. The benefits of digitalisation for financial services are too great to ignore, and failure to embrace digitalisation in the name of security will hamper financial services’ growth. Instead, a holistic approach encompassing people, process and technology will be vital to forging a secure path forward in the financial services industry.

[1]https://gallery.logrhythm.com/white-papers-and-e-books/uk-the-state-of-the-security-team-research-report.pdf

[2]https://gallery.logrhythm.com/white-papers-and-e-books/uk-gain-board-level-support-for-your-security-program-e-book.pdf