Banks lack ammo to fight cyberthreats, says report
Longitude, SAS survey findings target risk-based approach; SAS to expand security intelligence offerings
Evolving security threats, technology limitations and simple lack of awareness make cyberrisk a daunting hurdle for today's banks. A recent survey by Longitude Research, Cyberrisk in Banking , cites lost customer trust as the most significant impact from cyberattacks – nearly double that of monetary losses.
Sponsored by business analytics leader SAS, the study surveyed 250 respondents from retail and commercial banking primarily based in the Western Hemisphere, including North America (40 percent), Europe (21 percent) and Latin America (20 percent). Although cybersecurity is a wide-ranging problem affecting multiple industries, financial institutions often lead the way by experiencing new threats and enhancing their cybersecurity defenses. Nevertheless, just one in five of the executives polled for this study regards overall organizational preparedness for cybersecurity risks as "high." The weakest link reported within banks was a lack of dedicated internal resources – only 24 percent feel "highly prepared" for cyberthreats in this regard.
New communication channels for customer service offer unprecedented convenience. Unfortunately, they also introduce new threats – phishing, botnets and mobile malware being rated among the most likely and most damaging, according to the survey.
Lack of senior executive awareness was common – more than half (54 percent) of survey respondents say financial losses aren't high enough from cyberattacks to warrant board-level attention. "This is partly because most organizations handle security as an extension of IT rather than viewing it as an operational risk," said Christopher Smith, Director of Cyber Strategies at SAS.
Today threats must be evaluated in the appropriate context and prioritized accordingly. For example, the report indicates financial losses are typically low for distributed denial of service (DDOS) attacks, which are politically motivated and primarily designed to block access to websites or online Web services to garner media attention. But it is short sighted to not also consider the loss of customer trust and the risk of tarnished reputation that result from such attacks.
The report recommends that banks need a holistic view of cyberthreats, treating them as operational, enterprise-wide risk.
Absence of information was also a recurring theme, evidence that the value of big data depends upon proper analysis for making better decisions. The report states "this is particularly relevant for cybersecurity, as not all threats are equally severe and must be prioritized accordingly." Interviewees bemoaned a lack of key risk indicators, which would better position them to accurately evaluate threats alongside any organizational weaknesses.
Nearly one in three respondents rated limited customer awareness as a key challenge. Still, less than one in four banks believes internal resources are highly prepared – which is far easier to resolve than external customer attitudes.
How banks can fight back
One of the report's conclusions is that organizations need context-aware analytics to become proactive. By pairing big data assets and high-performing analytics, organizations can spot trends and pre-empt possible attackers. Analytics enables banks to create risk-based responses to potential incidents. This supports the report's realization that organizations must elevate cybersecurity from a technical problem to a broader, risk-based strategy.
"Context-aware security applications have access to more data about what is happening at the moment, and can respond with a wider range of behaviors that are tailored to current conditions," said Avivah Litan, co-author of the footnoted report and Distinguished Analyst at Gartner. "This capability is particularly helpful to enterprise security management because there is no such thing as 'absolute trust.' A decision to let a transaction proceed based on its perceived risk is not made under black-and-white conditions, but rather is best arrived at by gauging the probability of risk incurred by letting the transaction execute."1
New SAS® solutions to combat cybercrime
The Cyberrisk in Banking report underscores the need for banks to better manage, monitor and risk-rate the threats they face. To help organizations combat cyberattacks, SAS is expanding its portfolio of fraud and security intelligence solutions to further address cybercrime in 2014.
"Though cybersecurity is clearly a cross-industry issue, financial institutions are leading a trend toward convergence of fraud and cybercrime prevention technology and operations in support of a holistic approach to cybersecurity," said Stu Bradley, Director of Security Intelligence Solutions at SAS. "This strategy will require new capabilities, not least to fill gaps in the technology marketplace as part of solving the biggest data challenges to date, and in proactively using better analytics to make real-time, risk-based decisions."
Read Cyberrisk in Banking to learn the report's detailed findings.
Today's announcement came at The Premier Business Leadership Series event in Orlando, a business conference presented by SAS that brings together more than 600 attendees from the public and private sectors to share ideas on critical business issues.
SAS is the leader in analytics. Through innovative analytics, business intelligence and data management software and services, SAS helps customers at more than 80,000 sites make better decisions faster. Since 1976, SAS has been giving customers around the world THE POWER TO KNOW®.