The average bank relies on dozens of different cybersecurity tools, and continues to spend record amounts of money on solutions as threats increase, especially from state-backed attackers. In fact my company has seen in our work that threats against banks have more than doubled. At the same time, research shows, and it is well-known, that more tools are not always better when it comes to defending against attacks; in fact when organizations use more than 50 tools, their overall security posture declines.
There is no question that the financial sector suffers from the overproliferation and over-differentiation of security tools. This is due partly to the rapid growth of the cybersecurity sector in response to the increasing number of attacks and threats. But more than that, it stems from a desire in the start-up and cybersecurity world for entrepreneurs to differentiate themselves. In a crowded field, being able to say that one’s technology solves a very specific problem, in a unique way, has proved to be a successful strategy for raising critical VC or other investment money.
But when it comes to improving actual cybersecurity posture in the financial world, this approach is not working and is detrimental. Threats and attacks are only growing. The cybersecurity sector, financial institutions and government regulators need a mind shift to change this trend.
Developing more comprehensive tools
Cybersecurity companies serving or looking to serve the financial sector need to think more holistically. They need to offer a solution or package of solutions that solve multiple problems with one product. Or, they could focus on offering a comprehensive solution to one category of challenges—like solving all SaaS or all app issues with one platform. Such an approach would be more effective simply because it reduces the number of tolls needed. But it would also surely appeal to financial institutions that want to reduce the number of tools and vendors they use. After all, CISOs spend much of their time vetting new products. By reducing the number of different tools needed, CISOs would be able to focus more on leading their company’s cybersecurity and related business strategy.
By offering better protection through holistic solutions, and reducing a CISO’s workload, cybersecurity companies have much to gain. Rather than focusing on differentiating themselves through technology, cybersecurity providers should think about differentiating themselves by offering holistic products and services that solve pressing real-world problems for their clients.
Banks need to understand risk before investing in solutions
Banks also need to have a more holistic view of security, and understand what the real threats are, including who the real enemies are, and how various branches affect the business, before investing in solutions. No one can protect against everything, so banks need to make sure they are effectively quantifying risk. While there are many platforms and tools for figuring out risk quantification, this is something better done with human involvement and experts, along with the help of automated processes and data.
Only after banks understand their risk quantification can they start to choose the proper and effective security products and services. They should look to use the fewest tools possible to protect themselves, and focus on covering their own well-understood risk rather than seeking to have the newest products for the newest theoretical risks.
But this does not mean that banks should be passive; they constantly need to be evaluating both their risks and their solutions. Ethical hacking, or having experts try to breach their defenses and find new vulnerabilities is one of the most effective ways to do this. This process and others done with the help of qualified experts will also help ensure that institutions are using the right tools in the right way, and will help reduce expenditure in unnecessary or ineffective cybersecurity products and procedures. This will give the organization the agility to adapt to constantly changing threats. Ideally with an ongoing cyclical inspection approach, organizations could achieve a state of pre-emptive capabilities.
Government agencies need to lead
Lastly, governments need to think beyond regulation, beyond developing requirements that financial institutions need to meet, or the sort of solutions and tools they must have. Although those efforts can help increase awareness about cybersecurity, governments need to go a step further and get more involved in threat hunting and taking offensive and preventive action against threat actors, especially those backed by states. Not only do private companies, including those in the financial sector, lack the resources for this; but by law they cannot engage in offensive cyber actions the way governments can. In addition to increasing coordination with the financial sector, governments should offer more financial aid and training for cybersecurity efforts in the sector.
Governments need to actively fight cyber threats in the financial sector the way they have fought money laundering and terrorism. At end of the day, cyberattacks on financial institutions are as big, or perhaps an even bigger threat to society as money laundering and terrorism. Such a grave danger cannot be addressed through regulation and the deployment of private-sector security tools alone. Increased coordination would go a long way in helping financial institutions find the real threats and change the current mindset of fighting the problem by simply investing in every tool or security solution possible.
The financial system remains extremely vulnerable to cyberattacks. Even if they invest in every tool on the market and meet all the regulations, institutions will not be protected, no matter if that threat comes from Russia, other state-backed actors or other advanced hackers.
While it is true that, despite the warnings from the U.S. and European governments, large cyberattacks on financial institutions have yet to emerge from Russia. However, that does not mean they lack the ability; they surely have the ability, but feel that the current situation does not yet require such actions, which would undoubtedly result in retaliation. This is why the cybersecurity sector, financial institutions and government agencies need to change their attitudes now–before it is too late.