Finance Execs Are Too Confident in Their Security

Inside threats continue to plague companies. And they're really hard to spot.

Cyber security Inside threats finance

Accenture, a global management-consulting firm, has released its annual “High Performance Security Report.” A look back at 2016, it contains two head-scratching findings.

The first, is that 78% of security executives at large banking enterprises are confident in their security profiles. Yet the second reveals that one-third of attempted breaches at financial-service institutions have been successful. Nearly half of the respondents attributed the latter to “malicious insiders.”

Another study, this one from IBM, found that not only is the financial sector attacked 65% more than other industries, but that estimates that 58% of those attacks can be attributed to inside-enterprise threats. This includes malicious employees, but also accounts for a larger demographic that is inadvertently compromised by, say, phishing. This industry is a unique target because, by virtue of being banks, stolen data offers an immediate pay-off to criminals.

Banking executives shouldn’t be so confident. Combined, these reports indicate that financial enterprises feel positive about shoring up on perimeter-style security—at the expense of investing in analytics that surface much harder-to-spot threats inside the enterprise. This is a growing risk-management problem.

A good place to start is to nurture co-ownership of cybersecurity. Start by having IT and HR teams work together to implement employee-training programs: what phishing attempts look like, how to secure mobile devices, even creating confidentiality agreements where necessary.

Those teams should likewise be reactive in updating security protocols that change with personnel adjustments—including altering access and deleting accounts where necessary. The devil really is in the details: reminds us of the infamous case of Jérôme Kerviel, a French trader who lost roughly $7.2 billion at Société Générale through unauthorized trading. This could’ve been prevented if the bank simply adjusted network access to his new job role.

Then it’s up to executives to optimize or upgrade their current security solution with enough visibility to find covert inside threats. This is a taller order than it would seem, and perhaps explains their false sense of confidence.

Any type of account compromise, misuse, or escalation is subtle enough to frequently elude the parameters set by thresholds or rules. Meanwhile, unable to discern the anomalous from norm, SIEMs can dispatch way too many alerts, putting onus on the SecOp teams to determine which leads to chase. While popular, these are quickly proving antiquated solutions.

That same Accenture study also reported that 59% of its banking execs admit it that takes months to detect successful breaches. Detection is simply step one of risk management. And the cost of time lost in operations and reputational hit is often worse than immediate fiscal loss. The answer is to look at security holistically: a man-and-machine approach, where strategic company infrastructure is buoyed by an expansive analytics solution.

Are you attending FS-ISAC? See Interset’s CTO, Stephan Jou, present a case study of how one global bank uses machine learning-based analytics to mitigate fraud. He’ll speak on Wednesday, May 3 at 1:30 p.m. You can also visit Interset at booth #16.