Remote work and the digitaliaation of operational, distribution and customer engagement processes are here to stay. How should CISOs, CIOs and C-suite executives structure their cybersecurity programmes in this evolving environment? This report shares the survey results about cybersecurity practices at 162 global financial services organisations, which may help you identify investment priorities and allocate budgets.
Short-term fixes should advance promptly to steady state
Now that hybrid workforces and virtual engagement are here to stay, the time for testing is over—and the work begins to determine which changes to incorporate for the long term and which challenges remain to be resolved. Furthermore, the evidence to move to a new steady state speaks for itself: Over the past year, cyber incidents have ballooned.
Endpoint detection and response (EDR) and security monitoring to detect cyberthreats are important but no longer enough. Aggressively monitoring access controls and instituting a continuous cycle of employee awareness training and compliance tracking—both for staff returning to the office and for those working remotely—are now essential.
Notably, respondents reported the biggest challenge impacting their organisation is managing data and perimeter protection. In contrast, rapid technology change was identified as the number one challenge in managing cybersecurity in previous years.
Because the COVID-19 pandemic expedited the transition to remote work and digitalisation, financial services organisations should make sure the resulting network changes are secure. Many in the industry have stepped up cybersecurity defence efforts, but there’s still work to do.
As part of Deloitte Touche Tohmatsu Limited’s 2021 Future of Cyber survey, this report focusses specifically on what’s on the minds of leaders in the banking and capital markets, insurance, investment management and real estate sectors. An analysis led to four definitive conclusions on the state of financial services cybersecurity risk.
Legacy systems are slated for retirement
IT departments can no longer operate in silos. They should seek to further mature their infrastructures as the industry moves to virtualise the workforce and revamp legacy cybersecurity infrastructure. According to the survey respondents, scaled cyber solutions both in the cloud and for the cloud are being prioritised to enhance cyber defence capabilities.
Additionally, now that cybersecurity has board-level visibility, CISOs should look beyond network functionality and be ready to talk to board members, senior management and stakeholders in a language they understand and about the cyber risks that most concern them. CISOs can leverage this attention to integrate cybersecurity into product design and platform innovation from the outset.
Extended ecosystems call for stronger detection and control mechanisms
Although third-party risk management has been a regulatory requirement for years, innovations in open banking and fintech relationships are amplifying this mandate. The constant development of new open application programming interfaces (APIs) to connect banks with other institutions has sparked debate about who owns a customer’s financial data. And these new fintech solutions have coincided with a rise in cyberattacks.
Zero trust, a set of policies based on the principle of “never trust, always verify,” continues to emerge as a leading practice. It enforces least privilege access to everything from networks and applications to users, devices and workloads.
Organisations can get ahead of evolving threats by incorporating such security-by-design principles into IT service development and embedding cybersecurity requirements into the architecture and design stages of the software development.
While budgets for annual cybersecurity spend as a percentage of revenue have grown consistently over the past three years, human vulnerability remains the top cyberthreat
Some things never change
While budgets for annual cybersecurity spend as a percentage of revenue have grown consistently over the past three years, human vulnerability remains the top cyberthreat. In 2021, infrastructure security, the Internet of Things (IoT), industrial control systems (ICS) and operational technology (OT) together claimed roughly 20% of budget allocations, followed by threat intelligence, detection and monitoring (14%), and cyber transformation (14%).
Some cybersecurity professionals report implementing automated behavioural analytics tools to detect potential risk indicators among employees. Others continue to use leadership to monitor employee behaviours and risk indicators, or say they have no way to detect or mitigate these risks.
To provide a measurable return on cybersecurity investments, CISOs may need additional tools in their risk management arsenals, including the adoption of risk quantification techniques.
Where to go from here
With remote work and digital transformation here to stay, it’s time for financial services organisations to get more serious about embracing the cloud, securing the extended enterprise, focussing on a trusted customer experience, building resilient operations and remediating control gaps. This involves a multi-pronged approach that sees the adoption of more sophisticated incident detection and response capabilities, enhanced perimeter controls, improved risk identification methods and more focussed employee education initiatives. While there is no one-size-fits-all solution for stakeholders across the industry, it seems universally true that elevated risks will continue to compel new responses.
As the COVID-19 pandemic pushed some workforces to go fully remote and customers demanded almost-complete virtual engagement, financial services leaders had to find ways to digitalise their operational, distribution and customer engagement processes. Meanwhile, cyber risk professionals were simultaneously faced with the enormous challenge of rapidly adapting their cybersecurity capabilities in response to the evolving digitalisation needs.