Financial Services IT Overconfident in Breach Detection Skills

Despite the doubling of data breaches in the banking, credit and financial sectors between 2014 and 2015, most IT professionals in financial services are overconfident in their abilities to detect and remediate data breaches. According to a new study by endpoint detection, security and compliance company Tripwire, 60% of these professionals either did not know or had only a general idea of how long it would take to isolate or remove an unauthorized device from the organization’s networks, but 87% said they could do so within minutes or hours.

When it comes to detecting suspicious and risky activity, confidence routinely exceeded capability. While 92% believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network, for example, 77% said they automatically discover 80% or less of the devices on their networks. Three out of 10 do not detect all attempts to gain unauthorized access to files or network-accessible file shares. When it comes to patching vulnerabilities, 40% said that less than 80% of patches are successfully fixed in a typical cycle.

The confidence but lack of comprehension may reflect that many of the protections in place are motivated by compliance more than security, Tripwire asserts.

“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”

Check out more of the study’s findings below:

financial services cyber risk management

Staying Ahead of the Financial Industry’s Next Wakeup Call

The financial services sector is no stranger to stringent regulation. At the very least, financial institutions are audited every 18 months. But without a proper security posture, complying with the likes of the Payment Card Industry Data Security Standard (PCI DSS) and others doesn’t always have the dual benefit of protecting against breaches: the PwC 2015 Global State of Information Security report noted a 141% year over year increase in the number of financial services firms reporting losses of $10 million to $19.9 million.

This tells us a few things: first, compliance is all about a company’s interpretation of the rules, which can be bent and glossed over–compliance is, after all, a minimum standard to which firms should adhere. Additionally, regulation needs to have more teeth as security threats become more sophisticated and targeted. Most importantly, with the regulated ecosystem being so complex, institutions should identify the elements prescribed most frequently across compliance mandates and put solutions in place that meet them. While doing so won’t guarantee complete security, it will put firms in the best possible position to protect against attack while simultaneously satisfying auditors.

The Cost of Compliance

The 2014 SANS Financial Services Security Survey, which examines the drivers for security-related spending in the financial services industry, reports that 32% of organizations spend more than one quarter of their IT security budget on compliance mandates. Nearly 16% of respondents say they are spending more than 50% of their security budgets on compliance.

Unfortunately, this investment in compliance doesn’t translate to investment security dollars. In fact, the survey also demonstrates that certain drivers behind firms’ information security programs are competing for resources with compliance mandates; while 69% of respondents say that demonstrating regulatory compliance is a top driver, a majority also cited drivers that tie closely to that, including reducing risk (64%) and protecting brand reputation (51%).

To ensure investment in security and compliance are not mutually exclusive, it takes effort on both sides–firms should put more effective solutions in place, while regulators should have stronger directives to encourage firms to streamline those efforts.

Securing the Endpoint

Specifically, firms should put systems in place that address endpoint vulnerabilities, including insider threat and malware on the devices, rather than on network solutions. The same SANS report elucidates that endpoint vulnerabilities were the biggest causes of security incidents among financial institutions, with abuse or misuse by internal employees or contractors (43%) and spear phishing emails (43%) the most prevalent, followed by malware or botnet infections (42%).

It doesn’t take long to find explicit use cases that corroborate these findings. The JPMorgan Breach, which impacted nearly 76 million households, came down to a hacker that gained high-level administrator privileges. Put simply, the cause for breach wasn’t necessarily the sophisticated malware, but rather, the ritual IT administrator tasks that were compromised. Clearly, while perimeter technologies like firewalls can prevent certain types of external attacks, they cannot block malware that has already found its way onto endpoints within an organization. Layering proactive solutions will be critical to preventing serious threats from occurring.

Least Privilege: The One-Two Punch

Proactive solutions should incorporate layering elements like patching, application whitelisting and privilege management. Taking this defense-in-depth approach will enable financial organizations to more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation. The dual benefit? They will satisfy auditors.

The least privilege methodology in particular, which limits administrator privileges from individuals and grants them to certain applications instead, is broadly prescribed across multiple financial mandates in the United States–from PCI DSS, to Federation of Defense and Corporate Counsel (FDCC) to the Sarbanes-Oxley Compliance (SOX) mandate. For instance, the PCI DSS has a specific requirement to log activity of privileged users and states that employees with privileged user accounts must be limited to the least set of privileges necessary to perform their job responsibilities.

Internationally, the practice is even more strictly enforced. For instance, the Monetary Authority of Singapore (MAS) has technology risk management guidelines that detail a number of system requirements–such as limiting exposure to cyber and man-in-the-middle attacks – that would be very difficult to achieve without a least privilege environment. In fact, the document presents one section dedicated entirely to least privilege. Here, requirements encourage restricting the number of privileged accounts and only granting them on a ‘need-to-have’ basis. The guidelines also encourage the close monitoring of those who are given elevated rights, with regular assessments to ensure they are always appropriately assigned.

Ultimately, limiting privileged access limits hackers’ attack vector and also prevents staff from implementing sophisticated attacks like logic bombs, knowingly or unwittingly. At the same time, the practice will help achieve compliance, driving down unnecessary spending. While progress is being made collectively between firms and regulators, more can be done; regulators can bring endpoint security top of the priority list and firms can put in practice simpler elements for a strong architecture. A next high-profile security beach shouldn’t be the industry’s wakeup call.

Is the Insurance Industry Improving for Women?

women in financial services

More than 70% of women in insurance believe the industry is making progress toward gender equality and, for the second year in a row, over two-thirds think their company is working to promote gender diversity, according to a new survey from the Insurance Industry Charitable Foundation.

After the IICF Women in Insurance Global Conference, which brought together 650 insurance professionals, senior executive speakers, and CEOs to discuss how the industry can increase gender diversity in the workplace, the foundation polled attendees on the current reality of gender diversity and its evolution across the insurance industry.

Almost half of attendees agree that their company is working to promote gender diversity with another 19% strongly agreeing, but 24.5% disagreed, and 7.1% disagreed strongly. Biases in advancement (51%) and lack of opportunities for professional advancement (24.6%) remain the biggest barriers for women seeking leadership positions in their companies, respondents said. The industry may be making some progress on those issues, however, as the percentage of women who named “biases in advancement” and “lack of opportunities for professional advancement” as the chief barriers fell to 68% from 76% last year.

“As evidenced by the tremendous turnout of the 2015 Women in Insurance Global Conference and the engaging discussions it created, companies are clearly recognizing the need for a more gender inclusive workplace,” said Betsy Myatt, executive director of IICF’s Northeast Division.

But the findings make clear that insurance still lags far behind other sectors of the financial services industry in terms of support for women. Those surveyed – who were all there because they work in the insurance industry – said that insurance was the least supportive of advancing women to senior leadership, compared to accounting (47.8%), banking (26.1%) and investment services (14.1%).

“While there is still progress to be made toward achieving gender equality, the vast majority of survey respondents who have found a positive shift in corporate culture is certainly telling of the strides the insurance industry has made thus far,” said Bill Ross, CEO of IICF.

Some of the survey’s key insights include:

Which of the following is the greatest challenge women face in is ascending to positions of leadership within the insurance industry?

  1. Inflexible workplace standards: 7.4%
  2. Women don’t promote themselves enough or effectively: 30.1%
  3. Limited opportunities mobility up the corporate ladder: 39.4%
  4. Lack of C-suite sponsorship: 23.0%

Which of the following financial services sectors is the most supportive of the advancement of women to senior leadership.

  1. Banking: 26.1%
  2. Insurance: 12.0%
  3. Accounting: 47.8%
  4. Investment Services: 14.1%

Which of the following is the biggest barrier to entry (perceived or actual) for women seeking leadership positions in their company.

  1. Lack of opportunities for professional advancement: 24.6%
  2. Lack of desire from company leadership to appoint women to senior leadership roles: 17.0%
  3. Biases in advancement: 51.1%
  4. Desire to start a family: 14.1%

In what way do you believe gender equality has been most improved across the insurance industry?

  1. The establishment of mentorship programs: 14.2%
  2. Sponsoring executive networking opportunities: 24.0%
  3. More active recruitment of a gender-diverse workforce: 26.2%
  4. Shift in corporate culture: 35.6%

Cyberbreach and Reputation Woes Hack Away at Bottom Line for 44% of Financial Firms

According to the 2015 Makovsky Wall Street Reputation Study, released Thursday, 42% of U.S. consumers believe that failure to protect personal and financial information is the biggest threat to the reputation of the financial firms they use. What’s more, three-quarters of respondents said that the unauthorized access of their personal and financial information would likely lead them to take their business elsewhere. In fact, security of personal and financial information is much more important to customers compared to a financial services firm’s ethical responsibility to customers and the community (23%).

Executives from financial services firms seem to know this already: 83% agree that the ability to combat cyber threats and protect personal data will be one of the biggest issues in building reputation in the next year.

The study found that this trend is already having a very real impact: 44% of financial services companies report losing 20% or more of their business in the past year due to reputation and customer satisfaction issues. When asked to rank the issues that negatively affected their company’s reputation over the last 12 months, the top three “strongly agree” responses in 2015 from communications, marketing and investor relations executives at financial services firms were:

  • Financial performance (47%), up from 27% in 2014
  • Corporate governance (45%), up from 24% in 2014
  • Data breaches (42%), up from 24% in 2014

Earning consumer trust will take some extraordinary effort, as a seemingly constant stream of breaches in the news and personal experiences have clearly made customers more skeptical of data security across a range of industries. When asked which institution they trust more with their personal information and safeguarding privacy, today’s consumers ranked traditional financial institutions—including insurers—higher by a wide margin over new online providers, but a larger percentage of consumers do not trust any organization to be able to protect their data:

  • Bank/brokerage, insurance, or credit card company (33%)
  • U.S. Government (IRS, Social Security) or U.S. Postal Service (13%)
  • Current healthcare company (4%)
  • Online wallets (PayPal, Google Wallet, Apple Pay) (4%)
  • Retail chain or small businesses (4%)
  • All other (3%)
  • None of these organizations or companies can be trusted (39%)