Skip to main content

Cybersecurity in a post-pandemic world

A focus on financial services

Remote work and the digitalization of operational, distribution, and customer engagement processes are here to stay. How should CISOs, CIOs, and C-suite executives structure their cybersecurity programs in this evolving environment? This report shares the survey results about cybersecurity practices at 162 global financial services organizations, which may help you identify investment priorities and allocate budgets.

 

  • Two out of three surveyed1 have experienced between one and 10 cyber incidents or breaches between 2020 and 2021. It only takes one incident to potentially cripple an organization and bring reputational, financial, or operational havoc.
  • The rapid growth of remote work has increased the number of challenges organizations face in securing their ecosystem. Imagine going from one managed network to managing hundreds of networks, depending on the size of your remote staff.
  • It is time to retire legacy systems to pave the way for the latest tools and technologies in order to provide effective online and mobile services and differentiate yourself in the marketplace.
  • Data privacy and security, and the struggle to attract talent, remain critical reasons2 for the hesitation to mature core IT infrastructures to cloud technologies.
  • CISOs should be given greater authority to influence the lines of business and gather information from across the enterprise. They need to be ready to have open and frank conversations with board members, senior management, and stakeholders.
  • The rush toward creating new fintech solutions has coincided with a marked rise in cyberattacks. In fact, attacks targeting financial apps rose by 38% year over year.3
  • Extended enterprise risk is a harsh reality that organizations need to plan around. Dependency on third, fourth, and fifth parties will likely continue to increase, increasing the need to monitor in real time.
  • Human vulnerability remains the No. 1 cybersecurity threat. Awareness training remains a priority but is not sufficient. Creating a culture of cybersecurity is important.
  • CEOs and boards are increasingly calling for more sophisticated risk quantification techniques that tie into broader business risks.

 

1Deloitte Touche Tohmatsu Limited, 2021 Future of Cyber Survey
2Ibid.
3Ibid.

Because the COVID-19 pandemic expedited the transition to remote work and digitalization, financial services organizations should make sure the resulting network changes are secure. Many in the industry have stepped up cybersecurity defense efforts, but there’s still work to do.

As part of Deloitte Touche Tohmatsu Limited’s 2021 Future of Cyber survey, this report focuses specifically on what’s on the minds of leaders in the banking and capital markets, insurance, investment management, and real estate sectors. An analysis led to four definitive conclusions on the state of financial services cybersecurity risk.

Short-term fixes should advance promptly to steady state

Now that hybrid workforces and virtual engagement are here to stay, the time for testing is over—and the work begins to determine which changes to incorporate for the long term and which challenges remain to be resolved. Furthermore, the evidence to move to a new steady state speaks for itself: Over the past year, cyber incidents have ballooned.

Endpoint detection and response (EDR) and security monitoring to detect cyberthreats are important but no longer enough. Aggressively monitoring access controls and instituting a continuous cycle of employee awareness training and compliance tracking—both for staff returning to the office and for those working remotely—are now essential.

Notably, respondents reported the biggest challenge impacting their organization is managing data and perimeter protection. In contrast, rapid technology change was identified as the number one challenge in managing cybersecurity in previous years.

Legacy systems are slated for retirement

IT departments can no longer operate in silos. They should seek to further mature their infrastructures as the industry moves to virtualize the workforce and revamp legacy cybersecurity infrastructure. According to the survey respondents, scaled cyber solutions both in the cloud and for the cloud are being prioritized to enhance cyber defense capabilities.

Additionally, now that cybersecurity has board-level visibility, CISOs should look beyond network functionality and be ready to talk to board members, senior management, and stakeholders in a language they understand and about the cyber risks that most concern them. CISOs can leverage this attention to integrate cybersecurity into product design and platform innovation from the outset.

Extended ecosystems call for stronger detection and control mechanisms

Although third-party risk management has been a regulatory requirement for years, innovations in open banking and fintech relationships are amplifying this mandate. The constant development of new open application programming interfaces (APIs) to connect banks with other institutions has sparked debate about who owns a customer’s financial data. And these new fintech solutions have coincided with a rise in cyberattacks.

Zero trust, a set of policies based on the principle of “never trust, always verify,” continues to emerge as a leading practice. It enforces least privilege access to everything from networks and applications to users, devices, and workloads.

Organizations can get ahead of evolving threats by incorporating such security-by-design principles into IT service development and embedding cybersecurity requirements into the architecture and design stages of the software development.

Some things never change

While budgets for annual cybersecurity spend as a percentage of revenue have grown consistently over the past three years, human vulnerability remains the top cyberthreat. In 2021, infrastructure security, the Internet of Things (IoT), industrial control systems (ICS), and operational technology (OT) together claimed roughly 20% of budget allocations, followed by threat intelligence, detection, and monitoring (14%), and cyber transformation (14%). 

Some cybersecurity professionals report implementing automated behavioral analytics tools to detect potential risk indicators among employees. Others continue to use leadership to monitor employee behaviors and risk indicators, or say they have no way to detect or mitigate these risks.

To provide a measurable return on cybersecurity investments, CISOs may need additional tools in their risk management arsenals, including the adoption of risk quantification techniques.

Where to go from here

With remote work and digital transformation here to stay, it’s time for financial services organizations to get more serious about embracing the cloud, securing the extended enterprise, focusing on a trusted customer experience, building resilient operations, and remediating control gaps. This involves a multi-pronged approach that sees the adoption of more sophisticated incident detection and response capabilities, enhanced perimeter controls, improved risk identification methods, and more focused employee education initiatives. While there is no one-size-fits-all solution for stakeholders across the industry, it seems universally true that elevated risks will continue to compel new responses.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey