Banks Think They’re Cyber Resilient. But Are They Just Overconfident?
Banks and other financial services firms report remarkable confidence in their “cyber resilience” — their ability to resume business activities in the wake of a security breach — but it’s not clear this confidence is entirely justified.
So argues Accenture in its new report, “From Insecurity to Resiliency: 2018 State of Cyber Resilience for Banking and Capital Markets.”
The consulting firm found that about 1 in 7 cyberattacks on financial services firms succeed, and that 42 percent of attacks go undetected for at least a week. Yet 80 percent of banking leaders report that they’re “confident” or “extremely confident” in the effectiveness of their security efforts.
“A case can be made they are unjustifiably overconfident,” says Chris Thompson, global security and resilience lead for Accenture’s financial services group. “Attackers are becoming increasingly sophisticated, and attacks can shut down the business or expose customer data. If about 1 in 7 attempted breaches are successful, that’s still a lot of breaches.”
Yet Thompson agrees that banks do have reason to be proud. Accenture found that the financial services industry is among the more successful when it comes to cyberdefense and that it continues to make strides. For example, banks and insurance companies have stopped 81 percent of attempted breaches this year, compared with 66 percent last year.
In addition, the industry now rates as high-performing in 19 of 33 categories of cyber resilience identified by Accenture, such as cyber incident communication and threat vector monitoring. Last year, financial services firms were high performers in only 15 categories.
The industry is “converging to a level of mastery when it comes to the security status quo,” Thompson said. But there’s much work to be done.
Security Investments Lag in Financial Services
What’s missing from the industry’s defense posture is investment in AI, machine learning and other advanced security technology, according to the Accenture report. Banks are locked in an arms race with sophisticated threat actors who regard them as high-value targets and are increasingly deploying advanced technology in their attacks. The consultant says banks aren’t responding in kind to the degree required.
“We see sophisticated technologies largely determining the future of both cyberattacks and cyber resilience in banking,” Thompson said. “But fewer than half of firms are investing in artificial intelligence and machine learning, and in automation technologies in the context of cyber defense. These are the same technologies that the ‘cyber bad guys’ are now using.” He added that “AI, machine learning and robotic process automation can provide a consistent way to monitor for and combat these threats, but only if firms are willing to invest in them.”
In its research, Accenture asked executives from more than 400 financial services companies about their security technology investments. Here are the percentages of those investing in each tech category:
- Security intelligence platforms: 56 percent
- Blockchain: 46 percent
- Robotic process automation: 38 percent
- Internet of Things security: 50 percent
- Machine learning/AI: 43 percent
For all the progress businesses have made, such numbers are worrying, Thompson says. “As business technology evolves, so too must cybersecurity. The new technologies that banks and insurers are embracing — including cloud, microservices, application programming interfaces, edge computing and blockchain — will create new security risks, especially as cyberattacks evolve in sophistication.”
