Other parts of this series:
- Financial services need new security mindset to support strategic growth initiatives
- What new technology developments offer opportunities to enhance security?
- Cyber risks and company stakeholders – a key to financial firms’ security
- Helping financial firms to transform security for “New IT” landscape
- Identity management and threat intelligence are key security spends for financial firms
- Planning for security failure is critical for success
Cyber risks and company stakeholders – a key to financial firms’ security
In this blog series, we have been discussing the importance of financial services institutions adopting a more proactive cyber security approach if they hope to adequately protect themselves and their customers in the “New IT” landscape.
This time, we’ll examine the different cyber threats posing the greatest risk. We believe that understanding them is critical in building an effective and efficient security program. We’ll also discuss the roles that firms’ various stakeholders play in guarding against cyber-crimes.
As Accenture discusses in a new report—Security in the Financial Services Sector–Ready for the “New”?—firms face five categories of attackers. Each one possesses various skills and is motivated by different interests:
- Vandals – They typically consider hacking as a challenging opportunity to prove their skills and achieve fame and a glowing reputation among their peers. We expect these limited threats to remain constant, but good security practices should thwart them.
- Criminals – This group focuses on businesses and their money. Supporting them is a fairly significant and growing underground market where they can trade services and technology that once were available only to government bodies. Defending against this growing threat is becoming more and more challenging.
- Hacktivists – These attackers typically have a criminal background and might share know-how with criminals and vandals but usually have a political or social agenda. We expect hacktivism to continue, but these attacks might become more sophisticated and unpredictable.
- Terrorists – Their primary goal is to produce widespread fear and destabilize populations and geographic regions through violence. Terrorist attacks are not expected to increase dramatically, but their impact is unpredictable and potentially significant, including considerable collateral damage.
- Nation or state actors – Their attacks typically are low-profile, executed over an extended period and typically are sustainable. We expect a significant increase in the frequency and sophistication of these attacks, which will necessitate greater levels of sophistication to detect and prevent.
Some security personnel for financial services firms also would consider employees as potential “security issues” and press to monitor their behavior. But we believe that the security function should rather support employees in their day-to-day activities and tasks, as they create value for the business. However, this is becoming increasingly important and challenging, as firms depend more on liquid workforces—which are able to rapidly adapt and change to their evolving environment. Technology can help the security team support employees with managing confidentiality, integrity and privacy in an automated and transparent way.
Employees are just one of several important groups of stakeholders that security should depend upon. The others are:
- Senior management – While they understand their role in leading the security agenda, they often feel uncertain about which path to take. We believe that security should become more transparent and in a way that is relevant to a chief executive officer and the entire C-suite. This would facilitate their understanding of the key risks the business faces, while encouraging them to act decisively.
- Customers – Their needs and expectations are changing dramatically. Even affluent customers might want daily and easy access to their funds and information, including greater access to advice online or through unsecure smartphone platforms. Yet, like all customers, they continue to expect the same level of confidentiality.
- The security community – This is an important stakeholder that should not be underestimated but often is. Firms should clearly spell out how they plan to work with the security community, especially vulnerability finders.
- Financial markets – Their movements can influence companies’ security needs and architectures. Publicized attacks can influence customers, shape market forces and define perceptions about what is good or bad. The same is true of new technologies that firms may adopt.
To learn more, read: