According to the Verizon 2021 Data Breach Investigations Report, ransomware incidents have doubled in the past year and are now the most common form of cyberattack. Yet despite their sophisticated risk management programs, when we analyzed the security posture of financial institutions, we found that 54% are at heightened risk of ransomware attacks.
This conclusion is drawn based on two key security program performance indicators – patching cadence (the elapsed time between software patches becoming available and when they are implemented) and configuration management (weak TLS/SSL configurations create vulnerabilities in infrastructure that could expose companies to attacks). Both indicators correlate with the risk of ransomware threats.
When this analysis is applied to the financial services sector, we found that 30% of institutions are slow to apply patches. This makes them seven times more likely to experience ransomware than those that maintain a regular patching cadence.
Perhaps more worrying, 70% of these companies are exposed to ransomware risk due to misconfigured systems.
What can financial services sector security professionals do? Our findings stress that continuously monitoring security performance so that vulnerabilities are discovered and remediated before they are exploited is key to defending against ransomware, and indeed any cyberattack.
Cybersecurity vigilance also extends to a finance organization’s suppliers and vendors.
As they seek to get around traditional defenses, cybercriminals are increasingly finding and attacking the least secure business in the supply chain and using it as a foothold to gradually compromise their partners.
The financial services sector is acutely aware of these risks and the need to properly manage them. However, security professionals are often hampered by the limitations of traditional vendor cyber security assessments that provide incomplete and time-bound views of cyber risk.
A better approach is to use tools that provide deep and continuous insight into the risks and security performance of every organization in a company’s supply chain. Using these data-driven insights, security and risk management teams can speed up their vendor onboarding processes and, once the contract is signed, keep tabs on their vendors’ security postures for the remainder of their partnerships.
Business leaders also benefit. With an unparalleled visibility into third-party cyber risk, they can make informed decisions about which organizations to do business with, hold those accountable for security performance, and, ultimately, reduce the risk of a supply chain attack.
Acting in collaboration rather than in isolation is key to thwarting threat actors. This is something the financial services sector already does well. For instance, the Financial Services Information and Sharing Center (FS-ISAC) is a forum dedicated to strengthening the financial system through a global peer-to-peer network of experts and practitioners.
Firms can build on these efforts using the BitSight platform. For instance, users can exchange critical cyber risk information, including self-published security ratings. They can also invite third-party vendors so that they can view their own ratings and investigate forensic data on potential security issues in their environment. If a large-scale cyber attack occurs, organizations can reach out to partners and vendors as a group to notify them so they can proactively assess their security postures and take action to reduce the risk of becoming a victim.
Executive leaders and board members make critical decisions about cybersecurity – notably how and where money is spent. But upper-level managers are not in the trenches everyday and there can be significant gaps between what the Security Operations Center (SOC) knows about cyber risk and what it reports to leadership. That’s not to say that security professionals are holding information back, it’s just that they speak a different language than the C-suite.
To ensure that the most important information is passed up the chain of command and meaningful investments can be made, SOC leadership must learn the art of effective executive reporting. That means talking to executives in a non-technical way they understand and that ties their company’s security challenges directly to its financial and reputational performances.
We discuss these challenges in an earlier blog, in which we offer some uncomplicated suggestions for “speaking the C-suite’s language” and gaining buy-in from senior executives. Also check out these handy guides: The CISO’s Guide to Reporting to the Board and A Security Operations Center Report Template for Executive Buy-In.
Financial services cybersecurity is highly regulated, and for a good reason. But regulation isn’t the only reason that information security is critical – it’s about trust.
Customers trust financial institutions with their earnings, their savings, and their wealth management. But if data is breached or services are interrupted due to ransomware, customers may lose faith in the ability of a company to safeguard their data and their money. It’s a financial and reputational risk that no institution can afford to take.
For this reason, financial services companies must move beyond security for compliance’s sake and apply best practices such as continuous monitoring, collaboration, and making security performance understandable and accessible to the C-suite.
The financial services sector is one of the highest performing in terms of cybersecurity. One factor that contributes to this performance is regulation. Laws such as FFIEC IT, the Gramm-Leach-Bliley Act, NYDFS, GDPR, and SOC2 have...
Credit unions must be on high alert for cyberattacks. That’s according to a recent warning issued by the National Credit Union Administration (NCUA), who cautioned the industry of potential avenues of attack, including ransomware and...
For obvious reasons, the financial services industry has had the unfortunate distinction of being one of the largest high value targets for threat actors. Research shows that financial services businesses experience 300 more cyber...