Current State of IT Security in the Financial Services Sector
Financial services organizations are some of the most highly protected institutions in the nation, but, at the same time, are under constant attack. As a result, financial institutions have to be prepared to handle any security disaster.
Earlier this year, I joined G. Mark Hardy from SANS, Ed Dembowski from FireEye and Scott Gordon from ForeScout to discuss the results of a SANS survey on, "risk, loss and security spending in financial institutions."
The survey featured 239 respondents from varying business levels and was conducted from January through February of 2014. The security incidents that ranked in the top three included internal employee misuse (43 percent), spearfishing emails (43 percent) and malware or botnet infections (42 percent)*.
Despite organizations’ best efforts one thing is for sure: breaches are going to happen. The disturbing fact about these statistics is that two of the top three causes were the result of employee behavior; something organizations believe they should be able to control.
One of the major problems with security breaches is figuring out just how bad they really are. Only 21 percent of those surveyed could quantify losses while 50 percent could not and 29 percent didn’t know if they could. This can make it hard to receive future funding for proper security measures.
Risk for organizations concerning these breaches comes from many sides including reputation, legal, regulatory and financial. A security breach could open your company to civil and/or criminal litigation as well as increased regulatory scrutiny and fines. Your organization’s stock could also be devalued and damage done to your image and stockholder confidence.
What do I do?
Decide which security framework is right for you (PCI DSS, COBIT, NIST, FISMA, etc.). While complying with security frameworks is a good start, compliance does not equal security. Additional measures should be taken in order to keep your company safe.
If you are legally or contractually bound to report a breach then you should do it. However, keep in mind the aforementioned risks and convey those risks to your executives, as they are the ones who need to make the final decision.
* Percentages do not add up to 100 percent because respondents were allowed to select multiple answers.
Related Articles
Cybersecurity Snapshot: Strengthen Identity and Access Management Security with New CISA/NSA Best Practices
March 24, 2023Learn about a new guide packed with best practices recommendations to improve IAM systems security. Plus, cybersecurity ranks as top criteria for software buyers. Also, guess who’s also worried about ChatGPT? Oh, and do you know what a BISO is? And much more!
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Financial Services
- Research Reports