[November 29, 2012] |
|
Booz Allen Announces Top 10 Financial Services Cyber Risk Trends for 2013
NEW YORK --(Business Wire)--
Ask any customer what they expect from their bank or financial services
firm today, and two words come through loudly and clearly: security and
privacy. Commercial and institutional customers have come to expect
seamless service, properly cleared transactions and fast, accurate
information. But news about major cybersecurity breaches has alarmed
consumers, causing banks to redouble their efforts to protect their
technology infrastructure. This means the stakes have never been higher
for banks and financial services firms, and there are clear trends for
cyber risk and security protection in the financial services industry in
2013, according to the experts at Booz Allen Hamilton (News - Alert).
"When we think about the lethal daily threats to the globally integrated
financial services industry from nation-states and individuals, it is
imperative that Chief Information Security Officers begin looking around
corners, talk with each other and better prioritize the real threats to
their firms," said Mike McConnell, Booz Allen vice chairman and former
Director of National Intelligence. "Self-evaluation and industry-wide
conversations are the new 'rules of the road' to creating successful,
integrated cyber defenses. The CISO can really drive organization-wide
change while still championing efficiency and customer service."
McConnell is speaking today at Bloomberg's (News - Alert) Enterprise Risk Conference (more
information) where he will discuss the financial services industry's
responses to state-based and state-sponsored cyber attacks. He added,
"There are many cyber trends - including the sophistication and
lethality of the attacks - that the financial industry should be aware
of. Even though it is difficult to look into a crystal ball and predict
the future, these events are happening now and could cause significant
reputational, financial and infrastructure damage to any ill-prepared
firm. Individual companies should not wait for legislation or an
Executive Order to come together with their government counterparts to
find dynamic solutions to these big issues."
Booz Allen works with financial services firms to identify and benchmark
best practices and challenges for long-term cybersecurity prevention and
protection. This process is part of Booz Allen's Cyber M3 (Measure,
Manage, Mature) capability, which evaluates the maturity of a firm's
cybersecurity programs. Both Cyber M3 and the benchmarking program
incorporate technology, business process engineering, human capital
development and risk management in developing a comprehensive picture of
a firm's and industry's cyber readiness.
The Top 10 Financial Services Cybersecurity Trends for 2013:
-
Business/Information Risk protection is not
Just a Technology Issue - Spending on new technology
alone is not enough to protect a firm's information and business.
Firms must also invest in people and in fine-tuning processes to
ensure, not only the proper use of technology, but that the processes
that require interfaces between organizations are well managed and
executed flawlessly. No matter how good a technology is, if not used
correctly by skilled employees who follow well-defined processes,
vulnerabilities will surface that can be leveraged by both internal
and external threat actors.
-
Data disruption attacks may become data
destruction attacks - The potential of threat actors
actually destroying data is a major concern among risk and security
professionals. Over time, the financial services industry will face
threats from extremist groups who, when denied access to weapons of
mass destruction, will use cyber as a "weapon of mass disruption."
Additionally, threat actors who mean to disrupt a firm's business
operations to make a statement or prove what they consider a moral
point will also utilize destruction of data to ensure they make an
impact.
-
Nation-states and threat actors are becoming
more sophisticated - We now have to face more
sophisticated threat actors such as smaller nation-states and
terrorist elements obtaining similar capabilities. The financial
services industry must fully understand the entire threat landscape
and what this means in terms of employing the right people, technology
and processes to ensure business continuity and proper risk management.
-
Legislation could push industry standards
around cyber risks and improve threat intelligence information sharing
- Banks already share information, but they will need to do
more in light of possible legislation to set standards for cyber
protection. If Congress allows the sharing of important national
security information, industry standards could become a benchmark
requirement that firms must meet before they are given access to
government information. Additionally, such legislation could help in
reducing the valid fears of firms in sharing cyber incident
information due to the threat of penalties and further regulation. The
industry and government must acknowledge and treat firms as part of
the nation's critical infrastructure because a breach at anyone bank
or firm can have severe, cascading effects on the nation's stability.
-
Predictive threat intelligence analytics will
create a more effective risk management capability - Financial
services firms must begin to employ a more predictive threat
intelligence capability to determine who might be trying to attack
them and how. Focusing on understanding their own individual business
risks (as well as industry risks) and combating real potential threats
that could focus on such risks is much more effective than trying to
create a defense that could cover any possible threat.
-
Vendor Risk Management is becoming an
increasingly important concern among firms - Most
firms buy much of their information technology and services from
suppliers. Therefore, these suppliers' vulnerabilities become the
vulnerabilities of the firms they provide products and services. Firms
are becoming more focused on the security requirements for these
suppliers and engaging independent third parties to evaluate the risks
around such products and services.
-
Cyber risk continues to be a board-level issue
- Information, legal documents, and communications with clients
and employees are all becoming more and more electronic every day to
include an even greater usage of mobile technologies and social media.
The boards of financial institutions must create and embrace a culture
that acknowledges the evolving risks and more openly shares incident
information across the industry, with technology providers and with
both law enforcement and the federal government.
-
Firms must continue to embrace and adapt to
the new "boundless network," and must also invest in training its
workforce to properly access and protect corporate data -
Cloud, social and mobile technologies, including "Bring Your Own
Device" (BYOD), are simply too cost efficient and effective for
institutions to ignore them. Security and risk professionals need to
better integrate these technology trends, which will require they
embrace the fact that the corporate network now has extended beyond
their control. Risk management and mitigation is evolving to better
control how corporate data travels these boundless networks and
ensuring the education of their employees on the responsibilities they
have in securing such data.
-
Identity and Access Management is becoming a
key security control area in which firms will continue to invest
heavily - The days of focusing solely on perimeter
defense have long since passed. Phishing and other social engineering
strategies employed by threat actors have been very effective in
allowing them to penetrate almost any network. Banking institutions
must assume these actors can get in. Ensuring proper identity of an
authorized individual is a key area that is being addressed by all
firms in all industries to address this new paradigm. Most threat
actors employ a strategy to gain access to networks and information by
gaining access to valid authorized credentials of a firm's employee so
that they can go undetected in their actions. Firms will continue to
invest heavily in ensuring that an authorized user is actually an
authorized user. Additionally, firms will invest more heavily in
tracking unusual activity of a user to detect stolen credentials or an
insider threat.
-
The Financial Services industry will rely
more heavily on cyber benchmarking - The FS industry
is investing more and more in protecting its information assets and
wisely spending these scarce dollars is becoming increasingly
important, not only from an effectiveness standpoint, but to also be
able to articulate to business leaders, the value of such an
investment. The FS industry, therefore, will continue to use industry
benchmarks to understand how their competitors and suppliers are
investing in people processes and technology for cyber risk management.
For 2012 Booz Allen issued its first annual list of cybersecurity trends
for the financial services industry (read
the 2012 list). Since then, the industry has experienced a number of
high-profile attacks, such as the DDoS attacks on U.S. commercial banks
and the New York Stock Exchange.
"In the span of one year, we have seen a significant shift in the
frequency and sophistication of cyber attacks on financial services
firms. This is perhaps the biggest trend of them all," McConnell said.
ABOUT BOOZ ALLEN HAMILTON
Booz Allen Hamilton is a leading provider of management and technology
consulting services to the U.S. government in defense, intelligence, and
civil markets, and to major corporations, institutions, and
not-for-profit organizations. Booz Allen combines deep technical
knowledge with expertise in each client's core mission to deliver proven
results. Booz Allen is headquartered in McLean, Virginia, employs
approximately 24,000 people, and had revenue of $5.86 billion for the 12
months ended March 31, 2012 (NYSE: BAH).
[ Back To TMCnet.com's Homepage ]
|