Other parts of this series:
To assess cyber resilience across the industries studied in the Accenture 2018 Cyber Resilience report, Accenture Security evaluated industries according to 33 cybersecurity capabilities across seven domains (details in Figure 1). Looking at both Banking/Capital Markets and Insurance, the news was pretty positive. For Banking, the number of capabilities rated “high-performing” rose from 15 to 19. In Insurance, the increase was from 12 to 20.
What is cyber resilience?
The cyber-resilient business brings together the capabilities of cybersecurity, business continuity and enterprise resilience. It applies fluid security strategies to respond quickly to threats, so it can reduce the damage and continue to operate under attack. As a result, the cyber-resilient business can introduce innovative offerings and business models securely, strengthen customer trust, and grow with confidence.
In my last blog, however, I warned about executives’ overconfidence when it comes to cybersecurity. Respondents to the global Accenture Cyber Resilience survey,1 for example, confirmed that, on average, cybersecurity efforts only protect about two-thirds of their organization. And, despite progress, it still takes far too long for breaches to be detected and remediated.
To assess cyber resilience, Accenture Security evaluated 33 cybersecurity capabilities across seven domains.
Basic vs. advanced capabilities
One of my hypotheses about the results related to high-performing capabilities is that those most proficient at cybersecurity, the cybersecurity masters, are doing all or most of the basic ones well—for example, the capabilities in Strategic Threat Context, Cyber Response Plans, Stakeholder Involvement and fundamentals like Physical and Safety Risks. Then they are building more advanced capabilities on top of those—things like Cyber Incident Communication, Design for Resilience, Governance & Leadership, or the capabilities in Investment Efficiency.
By contrast, lower performers are likely to be struggling with the basics and then may be confounding their problems by aiming for advanced capabilities without having a solid foundation in place. For example, Stakeholder Involvement—stakeholders such as the divisional IT departments and the end users—is a necessary fundamental that high-performing firms have solved, but it is surprisingly hard to get right. Without establishing that basic capability it is very difficult to establish Security in Project Funding or to get Design for Resilience embedded into the culture.
Similarly, advanced IT scanning technologies are of little use if fundamental Physical Security is not in place. This can be compared to amateur photographers who think they can solve all their problems by going out and buying a new $5,000 lens. The photography masters will tell them, “No, first, you have to understand how to frame a shot well and what makes for a powerful photograph.” In other words, first the basics; then the fancy tools.
Keys to cybersecurity mastery
What would “mastery” in cybersecurity mean for financial services? Although effectiveness across the 33 capabilities in our study is a stretch goal, here is a series of actions that are particularly important for cybersecurity mastery.
Identify breaches quickly
To contain the damage caused by a cyber breach, companies should be able to recover within days if not hours. Yet for 62 percent of banks (67 percent of insurance companies), it requires more than 30 days to remediate a breach. Interruption of IT services is the most frequently cited result of a breach and causes the greatest loss.
Involve groups beyond the immediate cybersecurity team
Interestingly, the immediate cybersecurity team, by itself, identified only about two-thirds of all breaches (64 percent). For insurers, 66 percent of the remainder were identified internally by employees. In banking the percentage was 72 percent. Companies rely on their internal security workforce but supplement it with contractors and outsourced staff.
Keep an eye on internal threats
In our study, the number of breaches caused by malicious insiders was even larger than for external hackers. This is expected. As companies strengthen their defenses, the incentives increase for an insider to collaborate with external parties. Posts and requests for people with inside access are frequent on the dark web. Often the request is simply for login details, with a monetary payoff and no further collaboration required from the employee. Those employees feel they can plausibly deny any involvement (“I must have been hacked”). As companies increase their defenses further, so the incentives will increase, furthering a need for monitoring and controls of insiders as though they were external parties.
Extend cybersecurity standards across your ecosystem
Just 38 percent of banks (41 percent of insurers) hold their ecosystem partners to the same cybersecurity standards as their business (lagging the global findings). That could be a sensible business decision, if those subsidiaries and third parties are truly at arm’s length and are treated as unknown parties. But this is rarely the case. Vendors and subsidiaries become trusted. Employees will probably open communications, view documents and execute malicious payloads, believing they are working with an entity they know well. This shows it is not safe to work with less-defended companies as though they are part of the enterprise. Your employees should be trained to be aware of the risks and deal with them appropriately.
Test and stress test
There’s hardware involved with security, of course, but cybersecurity is primarily software. There is no substitute for testing it like you would any other software—particularly a “user acceptance test” that simulates actual attack methods to identify vulnerabilities exploitable by highly motivated attackers, and then confirms that the cyber defense systems catch them.
A few final thoughts:
- Be brilliant at the basics. Then build more sophisticated capabilities on top.
- It is critical that financial services firms become much more sophisticated in the breakthrough technologies increasingly used by cyber criminals. For example, automated orchestration capabilities allow security teams to respond in near real-time, and advanced machine learning algorithms are replacing manual reviews to facilitate the cleanup of access management.
- Evolve the role of the Chief Information Security Officer (CISO) to be more integrated with the business. CISOs should be both business-adept and tech-savvy. They should be at home in the C-suite as well as the security center.
- Infuse a “security first” culture everywhere in the organization. The challenges are too great to be handled only by a central team. Everyone needs to be involved.
- 2018 State of Cyber Resilience, Accenture. Access at: https://www.accenture.com/us-en/insights/financial-services/2018-state-of-cyber-resilience