Other parts of this series:
40 million. 76 million. 90 million. 130 million. 143 million. Those are the numbers of people or households affected by the worst five cyberattacks in the banking and capital markets sectors in the 21st century.1
In my first blog in this series on cybercrime, I discussed cybersecurity capabilities and issues across the entire financial services industry, based on findings from Accenture’s 2019 “Cost of Cybercrime” report. Digging deeper into results specifically for banking and capital markets (banking), we can see several cybersecurity trends to worry about:
- High costs. The average cost of cybercrime for a banking company in 2018 was $16.7 million, 28% higher than the average for all other industries surveyed.
- Greater concerns about malware and web-based attacks. Malware occurrences are experienced by 96% of the banking companies surveyed, with web-based attacks following at 87%. Those are both costly events, with web-based incidents costing $202,000 and malware $192,000 on average. Interestingly, denial-of-service attacks are experienced by fewer banks (51%), yet are the most costly to resolve at $208,000 per incident on average.
- Global issues. Looking for a moment at the global study, we can see that the cost of cybercrime is increasing across all countries surveyed. The average increase in cyberattack costs for the countries in our sample is up 26% since 2017. The United Kingdom (+31%), Japan (+30%) and United States (+ 29%) have the largest increases followed by Australia (+26%).
In addition to these general numbers, I want to look more closely at two areas where I believe banks are underinvesting: (1) the people/human aspects of cybersecurity; and (2) advanced technologies.
The human factor
Several years ago, an employee working for an Asia-based credit bureau secretly copied databases containing customer details. Identification numbers, credit card numbers, and addresses were stolen from 20 million victims. In another incident, a former employee stole and sold customer information on millions of mortgage loan applicants.2 These stories highlight the fact that malicious insiders are a real threat to banks.
Three-fourths of the banking companies we surveyed had experienced people-related incidents such as phishing and social engineering (just behind malware and web-based attacks, the top answers), with an average cost of $118,000 to resolve. Forty percent had experienced a malicious insider event, with an average cost of $116,000.
Of special concern is the fact that a malicious insider attack takes the longest, on average, to resolve—51.8 days, compared with malicious code (51 days) and ransomware (41.5 days). (See Figure 1.)
Figure 1: Malicious insider attacks take the longest for a banking company to resolve
Yet, enterprise spending on the human layer of cybersecurity is not matching risk levels. Just 9% of budgets are spent on this dimension, fifth in the list of six layers surveyed. The network and application layers had the most investments, at 37% and 27%, respectively. (See Figure 2.)
Figure 2: Insufficient investments are being made in the human layer of the cybersecurity stack
The role of advanced technologies
Automation, artificial intelligence (AI) and machine learning are being applied by only about one-third (34%) of banking companies surveyed (third-lowest deployment rate). Most investments are being made in security intelligence and threat sharing (79%), as well as advanced perimeter controls (62%).
Banks should be aware, however, that criminals always seem to find a way through their perimeter, sometimes by manipulating insiders through social engineering, as just discussed.
I expect this technology under investment to turn around relatively soon. One reason: our survey found that automation, AI and machine learning deliver the largest cost savings ($3.7 million) among security technologies when fully deployed by banks. Automation, AI and machine learning deliver 30% better cost savings than security intelligence and threat-sharing technologies, and over 2.4 times more savings than advanced perimeter controls.
Value at risk
Based upon an economic model developed for the study, we identified the economic value (expected cost savings and additional revenue opportunities) over the next five years that is at risk to cyberattacks. In the banking sector, $347 billion is at risk. For capital markets, the number is $47 billion. The “value at risk” number is new to this year’s report and we will look forward to tracking trendlines in the coming years to put those value numbers in a larger context.
To help prevent this loss of economic value, banks and capital markets firms should:
- Place greater emphasis on protecting and educating people because of the rise in phishing, ransomware and malicious insider attacks.
- Create controls such that no single employee or compromised machine can wreak havoc across the entire organization. Use Privileged Access Management, a control mechanism to put greater scrutiny around the granting of higher access privileges. Also segment data such that people do not have access to a full set of data.
- Grasp the innovation opportunity and more proactively invest in breakthrough technologies to enhance cybersecurity effectiveness and scale. Use automation and advanced analytics to manage the rising costs of discovering attacks, which is the largest component of spend.
- Invest to prevent information loss and business disruption, which are growing concerns, especially given new privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
A final bit of advice: Use pressure testing to identify your vulnerabilities. Criminals are constantly searching for your weak points. Do you know what and where those are?
About Accenture’s “Cost of Cybercrime” study
Accenture’s “Cost of Cybercrime” study, conducted by the Ponemon Institute, LLC on behalf of Accenture, analyzes a variety of costs associated with cyberattacks to IT infrastructure, economic cyber espionage, business disruption, ex-filtration of intellectual property and revenue losses. Data was collected from 2,647 interviews conducted over a seven-month period from a benchmark sample of 355 organizations in 11 countries. The financial services industry data was collected from 537 interviews from a benchmark sample of 72 financial services companies in Australia, Brazil, Canada, France, Germany, Italy, Japan, Singapore, Spain, the UK and the U.S.
- “The Top 10 FinServ Data Breaches,” Digital Guardian, May 8, 2019. Access at: https://digitalguardian.com/blog/top-10-finserv-data-breaches