Bank managers must regularly test their cybersecurity defences
Fast-moving, dynamic threats are creating new challenges every day. That means institutions must put the right people and the right resources in place to tackle potential security breaches
Dear bank executive, how secure do you think your banking system is?
Probably not secure enough.
Accenture research shows that while many senior bank executives are confident about their cybersecurity strategy, a lack of comprehensive, practical testing is leaving gaps in their defence.
That should concern bank management teams in Hong Kong.
Our report, “Building Confidence: Solving Banking’s Cybersecurity Conundrum”, is based on a global survey of 275 senior security executives across the banking and capital markets sectors. It found that 78 per cent of executives surveyed expressed confidence in their overall cybersecurity strategy, with more than half the respondents indicating high levels of comfort in their ability to identify the cause of a breach, measure the impact of a breach and manage the financial risk due to a cybersecurity event.
However, the analysis also points to ongoing security challenges for banks.
For example, in addition to the many phishing, malware and penetration attacks that banks around the world receive each day, on average, respondents reported that their banks had experienced 85 serious attempted cyber breaches each year. Of these, about one third (36 per cent) were successful, that is, at least some information was obtained through the breach. In these instances, it took 59 per cent of banks several months to detect breaches that occurred.
What does this mean for Hong Kong’s bank management teams?
Be vigilant. It is imperative to develop and implement the right governance model to drive a holistic approach to cybersecurity. This is critical to strengthening a firm’s external and internal defence capabilities.
Developing effective capabilities should be driven by a two-pronged strategy: focused cybersecurity assessments on one hand and comprehensive testing on the other.
In order to implement such a strategy banks require top-down support. Without express and implied backing from the upper echelon of management, the funds and approvals needed to build and maintain a secure system will evaporate.
Our research points to several areas where respondents foresee a significant skills shortage, including endpoint/network security, incident response and vulnerability management. Up until now, many financial institutions have focused on building their technological fortresses, but it’s not just the infrastructure that is needed, soldiers are also in demand. Without the people to man the fort, the system can be at risk.
So hiring and continuously training the people with the correct cybersecurity technology skills is required as well.
Most banks have thought through the security risks of known cyberattack practices. Cybersecurity assessment programmes need to be more thorough, though.
Fast-moving, dynamic threats are creating new challenges every day. That means, putting the right people, and the right resources in place to take the risk seriously.
Banks should focus on deploying practical testing scenarios that focus inside the perimeter to ultimately make the crooks’ job as difficult as possible. Highly realistic simulated attacks are the only practical way to test your defences. No amount of vulnerability scanning or risk assessment will replicate that.
Chris Thompson is senior managing director and head of financial services cybersecurity and resilience at Accenture Security