Our latest addition to the industry-by-industry security analysis series is financial services.
Financial services companies in the U.S. lost an average of $23.6 million from cyber-security breaches in 2013, the highest average loss across 26 industries, according to a report from the Deloitte Center for Financial Services. The study by the consulting firm, entitled "Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape", notes that the growth in cyber-crime has continued, if not accelerated, in the industry.
A huge majority (88%) of the cyber-security attacks against financial services firms are successful in less than one day, the report says. On the other hand, only 21% of the attacks are discovered within a day, and only 40% of the companies involved are able to restore their business within that one-day time frame.
The Deloitte report notes that the losses from security attacks sometimes are not as damaging as the potentially greater impact on customer and investor confidence, reputational risk and regulatory impact. When combined, the damage caused to financial services firms can add up to huge risks for these businesses.
As noted in Verizon’s 2014 Data Breach Investigations Report, which looked at security threats in 20 different industries, “financially motivated attackers are hyper-focused on gaining access to the money, so it follows that their two primary target industries are the financial and retail industries, where data that easily converts to money is abundant and, all too often, accessible.”
Within the financial industry, the report says, attackers focus on gaining access to the user interface of the Web (banking) application more so than exploiting the Web application itself, “because the application grants logical access to the money. This means they target user credentials and simply use the Web applications protected with a single factor [i.e. password] as the conduit to their goal.”
One quarter of the financial services companies surveyed as part of a study, “The Global State of Information Security Survey 2015”, by consulting from PwC and CIO and CSO magazines, said they had detected 50 or more security incidents in the previous 12 months. That was slightly higher than the percentage for all industries.
A majority of the firms (74%) said they had detected at least one security incident over that time period, according to the study, which surveyed 9,700 business and technology executives worldwide from March to May 2014.
When asked to identify the likely source of security incidents, 44% of the financial services respondents cited current employees, easily the most commonly named culprit. By comparison, 35% of respondents from all industries cited current employees. Other likely sources of incidents mentioned by finance firms include former employees (28%), hackers (26%) and competitors (20%).
The financial services firms surveyed noted a number of ways in which they were impacted by security incidents, including having customer records compromised (34%), employee records compromised (26%), theft of “soft” intellectual property such as processes and institutional knowledge (21%) and personally identifiable customer or partner information (18%).
Financial services firms also face a host of regulatory and industry requirements and security standards. For example, there’s the Payment Card Industry Data Security Standard (PCI DSS 3.0), a proprietary security standard for companies that handle cardholder information for major credit, debit and other payment cards. The standard is designed to increase controls around cardholder data to reduce credit card fraud.
And the Safeguards Rule of the Gramm–Leach–Bliley Act requires financial institutions to develop a written information security plan that describes how they are prepared for and how they will protect clients’ non-public personal information. The Safeguards Rule applies to information of any consumers past or present of the financial institution's products or services.
Given the complexities of information security within the financial services sector—and the clear threat to these companies’ systems and data, managed services providers and value-added resellers have an opportunity to present solutions that can help firms better protect themselves against attacks.
To find-out how Bitdefender can help, read this Solution Brief.