Financial institutions, such as banks and credit unions, have long been a target of cyber and DDoS attacks. These attacks are designed to disrupt operations and access sensitive information, becoming a constant threat, to not only those businesses but to the customers they serve.
In response to this threat, Federal and State bodies, such as the Federal Financial Institutions Examination Council (FFIEC) and New York’s Department of Financial Services (DFS), have enacted measures and procedures to help strengthen cyber security for financial institutions. These guidelines are expectations that banks should have risk management programs to identify new and evolving threats to online accounts. Adjusting customer authentication, layering security and other controls are also considered appropriate responses to the changing levels of risk.
Keeping a financial institution safe from cyber-attacks is a herculean task and, of course, comes at a price. To gain a better understanding of what organizations are doing in response to these regulatory changes and guidelines regarding application and network security, we surveyed over 200 IT professionals. Chief among them were CIO/CTOs representing the financial services industry with global annual sales of $5 billion or more.
What did we learn?
Four in ten respondents state that federal regulations adversely affect their bottom-line results. Both CAPEX and OPEX are taking a hit. Some respondents have made strategic changes, such as investing in new or specialized technologies or by changing security processes and protocols. Others have taken a more tactical approach by hiring internal and external resources and allocating additional budget.
The survey results were interesting, but none were more surprising than this: despite the impact of regulatory changes, respondents believe more can still be done. In fact, 4 in 5 respondents believe it is critical or very important for the federal government to impose stricter regulations around application and network security. In other words, even though their bottom-line is being impacted by federal regulations – they want more.
Other notable findings from our survey:
- 84 percent expect network and applications security to be more tightly regulated by the government over the next 12 months
- 63 percent of respondents indicated a willingness to adopt application and network security best practices from another industry
- 35 percent expect the frequency of cyber-attacks in increase over the next year, while 44 percent anticipate the number of attacks to remain the same
What can you take away from this survey?
One can surmise that IT professionals are okay with stricter regulations as it’s a justification for larger budgets. Cyber-attacks will remain a persistent threat to large organizations and the costs they could incur from proprietary information theft, sabotage or reputation damage outweigh the costs of compliance. Cyber security is a problem across the board – by sharing resources, learning from previous attacks and taking a proactive posture to help mitigate cyber-attacks, a strong defense is being put in place.
Benjamin Franklin once said, “An investment in knowledge pays the best interest.” So, to impart some useful wisdom, here are three simple, but effective techniques that every IT professional should have in their arsenal when facing the constant threat of cyber-attacks:
Assess the Situation: I was surprised to see there were companies in the survey that had no strategy in place against cyber-attacks. Are you proactively protecting yourself against all vectors of attacks? This DDoS Checklist will help you see if you are covering the cyber-attack threats facing your environment. It can help you to identify types of DDoS attacks, threats, targets and techniques.
Know and Address your Limitations: 54 percent of respondents from the survey rely on premise-based technologies to combat cyber-attacks and 21 percent leverage a cloud-based solution. Yet, only 28 percent are using a hybrid approach of the two. Understand that there are limitations to a cloud-based scrubbing solution. Not all network and security appliance solutions are created equal. True security necessitates data protection, system integrity and operational availability. Bolster your weaknesses by merging on-premise and cloud attack mitigation.
Strength in Numbers: More than half of our respondents indicated that they are willing to adopt application and network security best practices from another industry. The Financial Services-Information Sharing and Analysis Center (FS-ISAC) notifies its members when cyber-attacks occur and provides “authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats.” It is a global information sharing resource.
Please feel free to download “How New Cyber Security Federal Regulations Are Impacting Application and Network Security.” You’ll gain additional insights about the top strategic and tactical approaches to new regulations and guidelines and see how organizations will approach compliance with future guidelines and regulations. I’m sure you will find this report a wise investment in knowledge.