Understanding cyber from the C-Suite

Stay ahead of cybercriminals

Benjamin Franklin once said, “By failing to prepare, you are preparing to fail.” He may as well have been speaking about cybersecurity, where preparedness is absolutely vital. As organizations look to improve their cybersecurity capabilities, there are two factors to keep in mind:

• Risk cannot be entirely eliminated because the reality is that it is no longer a question of whether a business will be attacked, but when.
• Bad actors always rewrite their playbooks, which means cybercriminals find new ways to achieve their objectives.

While many organizations spend significant sums to protect their businesses, we believe organizations should also focus their efforts toward detection and resolution. Cybersecurity programs actively protect only about 60% of an organization’s business ecosystem, on average, according to a January 2020 report from Accenture.¹ In fact, the three areas of cybersecurity protection with the largest increases in cost are network security, threat detection and security monitoring.

With that backdrop, it is no surprise that 69% of the report’s respondents say that staying ahead of attackers is a constant battle. Of course, the direct costs of security are painful, but they likely pale in comparison to indirect losses, such as the loss of trust or the cost of the remedial work required to thoroughly clean systems after a breach. As a business leader, consider these questions: “Is cybersecurity one of my top priorities? Am I confident that my organization is protected?” Large financial firms have long been targeted by cybercriminals, but the continuing rise of cybercrime has served as a wake-up call for smaller organizations.

Organizational reputation at stake

As is often the case with technology and innovation, financial firms tend to lag behind many other types of companies in risk management awareness and protocols. In January 2020, the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) issued a position statement reminding financial institutions of the principles of sound cybersecurity risk management. These principles include response and resilience capabilities, protection against unauthorized access, secure configuration of systems and services, data protection, and employee training.² Leaders and employees who are responsible for cybersecurity say they are concerned about the number of ways their organizations could be harmed. First and foremost is the potential reputational damage. After all, the fact that a cyberattack succeeded may be more harmful to manage than the actual damage done by a breach.

Risks are not limited to direct costs associated with an actual attack or reputational damage. Specifically, regulatory risk is top of mind for many organizations that might make themselves vulnerable to enforcement actions simply by failing to do any number of things. These include enforcing policies, conducting periodic assessments, responding to identified deficiencies, protecting customer information, or having adequate policies, procedures or protections regarding vendors and outsourcing.

Preparing for future threats

As humans, we naturally gravitate toward focusing on the past, but when it comes to cybersecurity, emerging and future threats are ultimately more dangerous, which means adaptability is critical. While existing technology can help identify and neutralize incoming threats, newer technology is increasingly better able to predict future hacks and devise solutions to as-yet unknown attacks. Prevention, detection and recovery are equally vital. Preventative steps include things such as encryption, firewalls, permissions, backup and training — and much of this work is structural. Data that flows across internal and third-party infrastructure needs to be classified and subsequently mapped from creation to destruction, with all access points in between.

Organizations will also need to prioritize their spending according to the value of the data in question. Sensitive data — such as Social Security numbers or strategic assets — and trading algorithms used by investment managers, for example, are high priorities that should be protected by multiple layers of security. Other types of information may not demand a similar level of attention or budget.

A cybersecurity plan should take into account known and potential threats along with regulatory requirements, the firm’s risk management strategy, due diligence requirements and client preferences. Cloud computing offers new delivery models for threat intelligence, while big data analytics promise to change what is even possible when it comes to security. Improving cybersecurity protection can decrease the cost of cybercrime and open up new revenue opportunities.

By prioritizing technologies that improve cybersecurity protection, organizations can reduce the consequences of cybercrime and protect the future of a financial institution. As the cyber landscape continues to evolve and threats multiply, cybersecurity plans have quickly gone from being good ideas to indispensable assets.

¹ Bissell K, LaSalle RM, Dal Cin P. “Third Annual State of Cyber Resilience,” Accenture Security, January 2020. https://www.accenture.com/us-en/insights/security/invest-cyber-resilience

² “FDIC, OCC Issue Joint Statement on Heightened Cybersecurity Risk.” ABA Banking Journal, Jan. 17, 2020. https://bankingjournal.aba.com/2020/01/fdicocc-issue-joint-statement-on-heightenedcybersecurity-risk/