23.3.21

5 reasons why (not only) financial companies struggle with cybersecurity

 

Why do many organisations have a hard time keeping up with the evolving threat landcape and effectively managing their cyber-risks?

By Amer Oweida

Financial services companies have been a popular target for cybercriminals for a long time. Not without good reason, since beyond working with money, financial companies handle a slew of sensitive client data that criminals utilize in various fraud schemes or sell off on dark web bazaars. According to Verizon’s 2020 Data Breach Investigations Report, in the past year alone the financial industry has suffered more than 1,500 incidents, with 448 confirmed data disclosures.

In addition to the long-standing threats, most companies have had to contend with the rapid transition to remote work. The shift happened on extremely short notice, leaving companies with little time to deploy adequate cybersecurity measures or to prepare employees for looming cyberthreats. And while the pandemic will eventually subside, remote work is here to stay – adding to the list of challenges that companies need to cope with when they are preparing their cybersecurity plans and policies. This is something they often struggle with already due to various factors – we have rounded up five of them:

Talent gap

While many companies may be on the hunt for either seasoned or up-and-coming cybersecurity professionals to join their ranks and help them establish a defensive perimeter against various threats, there just aren’t enough of them to go around. In fact, although the cybersecurity workforce gap has shrunk for the first time in years, there is still a global shortage of 3.12 million workers. Actually, to make up the global talent shortfall, the employment levels would need to grow by 41% in the United States and 89% worldwide. So, to attract the best and brightest cybersecurity minds, companies will have to offer competitive salaries and fulfilling work opportunities.

Insufficient budgets

A key area that is preventing companies from tackling cyberthreats head-on is that they have insufficient budgets allocated to cybersecurity. According to a survey conducted by consulting firm Ernst and Young, 87% of surveyed organizations said that they did not have a sufficient budget to achieve the levels of cybersecurity and resilience they were aiming for. The lack of resources means that companies can’t hire enough cybersecurity talent or institute technical measures they need to be resilient when facing off against various cyber threats.

Overestimating their own cybersecurity

One common mistake companies make is that they overestimate how good their cybersecurity measures are. While they may believe that they are on top of things, companies may not have the best vulnerability patch-management policies in place. A good – but at the same time, unfortunate – example is the BlueKeep vulnerability present in Windows. The patch was issued in May 2019, with Microsoft urging everyone to patch immediately; a month later, the National Security Agency issued its own warning, yet in July there were still more than 805,000 machines susceptible to the security flaw and it culminated with the first BlueKeep attacks in November. It goes without saying that patching such a severe vulnerability should under no circumstances take six months.

Lack of awareness training

Another common occurrence that undermines a company’s cybersecurity is that employees do not receive enough cybersecurity awareness training. Arguably the risks of employees being tricked into downloading malware or parting with their company credentials have been amplified due to the COVID-19-powered shift to remote work. According to a study conducted by the Ponemon Institute, although companies have registered a surge in cyberattacks during the pandemic (including phishing and social engineering attacks), 24% of respondents felt that their organizations have not provided sufficient training about risks associated with remote work. Worryingly, the study also discovered that over half of the companies had no security policies at all covering requirements for remote employees.

Underestimating the value of cybersecurity

Some organizations underestimate the value of cybersecurity for their business and instead opt to invest in other aspects they deem more worthwhile, such as financing expansions or developing new products. They could argue that the costs outweigh the benefits, such as the cost of cybersecurity measures outweighing potential losses from a data breach. However, while the potential fines and losses may be lower in the short term, the reputational damage could lead to greater fallout including losing client trust, which would hit revenue streams. Alternatively, if successful, cybercriminals could gain access to intellectual property that they could sell along with the client data on the dark web. Therefore, cybersecurity shouldn’t be an afterthought, as it serves to protect both the company and its clients.

Conclusion

Any combination of the aforementioned factors could spell a perfect storm for most organizations when faced with a cyberattack. On the bright side, financial services companies have begun taking cybersecurity concerns seriously on the highest level. Global management consulting firm McKinsey found that 95% of the board committees that they surveyed say they discuss cyber-risks and tech risks at least four times a year. It’s worth noting, however, that building awareness in top management has to go hand in hand with investing adequate sums in cybersecurity solutions and training personnel to the best possible standards.