Evolving security threats, technology limitations, and simple lack of awareness make cyberrisk a daunting hurdle for today's banks, resulting in lost customer trust as the most significant impact from cyberattacks—nearly double that of monetary losses.
A study sponsored by SAS surveyed 250 respondents from retail and commercial banking primarily based in the Western Hemisphere, including North America (40%), Europe (21%), and Latin America (20%).
Although cybersecurity is a wide-ranging problem affecting multiple industries, financial institutions often lead the way by experiencing new threats and enhancing their cybersecurity defenses. Nevertheless, just one in five of the executives polled for this study regards overall organizational preparedness for cybersecurity risks as "high." The weakest link reported within banks was a lack of dedicated internal resources—only 24% feel "highly prepared" for cyberthreats in this regard.
New communication channels for customer service offer unprecedented convenience. Unfortunately, they also introduce new threats—phishing, botnets, and mobile malware being rated among the most likely and most damaging, according to the survey.
Lack of senior executive awareness was common—more than half (54%) of survey respondents say financial losses aren't high enough from cyberattacks to warrant board-level attention. "This is partly because most organizations handle security as an extension of IT rather than viewing it as an operational risk," says Christopher Smith, director of Cyber Strategies at SAS.
Today threats must be evaluated in the appropriate context and prioritized accordingly. For example, the report indicates financial losses are typically low for distributed denial of service attacks, which are politically motivated and primarily designed to block access to websites or online web services to garner media attention. But it is short sighted to not also consider the loss of customer trust and the risk of tarnished reputation that result from such attacks.
The report recommends that banks need a holistic view of cyberthreats, treating them as operational, enterprise-wide risk.
Absence of information was also a recurring theme, evidence that the value of big data depends upon proper analysis for making better decisions. The report states "this is particularly relevant for cybersecurity, as not all threats are equally severe and must be prioritized accordingly." Interviewees bemoaned a lack of key risk indicators, which would better position them to accurately evaluate threats alongside any organizational weaknesses.
Nearly one in three respondents rated limited customer awareness as a key challenge. Still, less than one in four banks believes internal resources are highly prepared—which is far easier to resolve than external customer attitudes.
One of the report's conclusions is that organizations need context-aware analytics to become proactive. By pairing big data assets and high-performing analytics, organizations can spot trends and pre-empt possible attackers. Analytics enables banks to create risk-based responses to potential incidents. This supports the report's realization that organizations must elevate cybersecurity from a technical problem to a broader, risk-based strategy.
"Context-aware security applications have access to more data about what is happening at the moment, and can respond with a wider range of behaviors that are tailored to current conditions," says Avivah Litan, co-author of the report and distinguished analyst at Gartner. "This capability is particularly helpful to enterprise security management because there is no such thing as 'absolute trust.' A decision to let a transaction proceed based on its perceived risk is not made under black-and-white conditions, but rather is best arrived at by gauging the probability of risk incurred by letting the transaction execute."
"Though cybersecurity is clearly a cross-industry issue, financial institutions are leading a trend toward convergence of fraud and cybercrime prevention technology and operations in support of a holistic approach to cybersecurity," says Stu Bradley, director of Security Intelligence Solutions at SAS. "This strategy will require new capabilities, not least to fill gaps in the technology marketplace as part of solving the biggest data challenges to date, and in proactively using better analytics to make real-time, risk-based decisions."