Cyber Risk Strategy Must Evolve to Match Changing Threats
Technology is the lifeblood of financial services today, with platforms designed for sharing data acting as the circulatory system linking insurers internally as well as externally with customers. While the Internet and mobile access and cloud computing among others are seen as the standard by most consumers, they also offer irresistible targets for bad actors with various motivations — from larceny to political protest to industrial espionage and everything in between.
So I thought it was time to check in to see the current state of cybersecurity. I listened to a recent presentation by my Deloitte colleagues Jim Eckenrode and Adam Thomas to find out, and what they had to say raised both concern and hope. In this blog, I’ll share with you some of what they told me.
The financial services industry was the most targeted of 26 different industries by cyber criminals, according to a recent study by Mandiant. Financial loss resulting from cyber attacks is the top concern of 36 percent of financial services institutions, but 39 percent are more concerned about disruptions to business and reputational risks, Deloitte reported.
Who are the bad guys? My colleagues at Deloitte found that 37 percent of financial services companies believe individual hackers pose the greatest threat to their organization, while 29 percent believe insiders and third parties pose the biggest threats.
How are the bad guys doing? An analysis by Verizon Risk and Deloitte’s Center for Financial Services found that 88 percent of cyber attacks against financial services firms were successful in less than a day, but only 21 percent of the firms were able to discover these attacks in less than a day, and just 40 percent could restore service in less than a day.
The bad guys are winning, primarily because they can keep one step ahead by deploying a wider array of attack methods.
In a recent Deloitte survey, 75 percent of global financial institutions believed their info security program was at a maturity level 3 or higher (on a 1 to 5 scale, with 5 being best), but only 40 percent were confident that they would be protected from outside attack.
That’s a scary number, but completely understandable. The cyber threat landscape is constantly evolving, and cybersecurity must transform itself to keep pace. The basis of this new approach is easy to understand. An effective cybersecurity strategy includes three legs: security, vigilance and resilience.
The “secure” part of this cyber strategy is aimed at keeping intruders out, both by using risk-prioritized controls and by working with others in industry and cybersecurity to establish and comply with standards and regulations. Vigilance is aimed at detecting intruders when they do get in, as they often will, no matter what. Resilience is about repairing damage and returning quickly to normal operations.
My colleagues have a whitepaper devoted to this that you can read at your leisure, so I’ll spare you the details, but there are some questions they raise that they have found useful in the field as they assess the state of an organization’s cyber risk strategy. How would you answer?
- Is your strategy executive-driven with clear accountability? Senior leadership may be necessary to cut across silos and functions and ensure true enterprise risk management — in other words, to make cyber risk strategy an integral part of the core company strategy.
- Do you have a dedicated cyber threat management unit? Such a unit can help break down the silos between IT and businesses, and enable a dynamic, intelligence-driven approach to cyber security.
- Is there a focused effort on automation and analytics? This could drastically increase the ability to identify anomalous behavior and risk patterns, among other positives.
- Has the “people” link in your defense chain been strengthened? No matter how good your cyber defense, one careless employee can negate it. Boring trainings may get the facts across, but not their importance. It might be worthwhile to consider a more “human-centric” approach while delivering this training in a way that considers user experience and at the same time is informative.
- Do you work with others outside the company against common threats and enemies? Industry associations, law enforcement, homeland security and others like service providers, consultants and lawyers can all help with information sharing and reducing the risk to individual organizations.
The one thing we know for sure is that the bad guys will not go away. We have to do all we can to be ready for them.
Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.
This blog was exclusively written for Insurance Networking News. Published with permission.