Financial organizations have always been in the front line of cybersecurity and compliance, but, for many, budgets are increasing. A study by Deloitte showed that many financial firms responded to Covid19 by increasing cybersecurity budget by 15% or more per employee, with some increasing to $3337 over a previous max budget of $3000. This is important, both for the large cybersecurity firms increasing spending budgets, and for smaller organizations that might not yet have done so.
Most financial organizations should prioritize cybersecurity. Breaches result in lost funds, regulatory fines, and lost customers. Often, breaches put customer funds and financial information directly at risk. Financial cybersecurity is critical not just for decreasing risks but for organizations staying in business.
The Rising Demand for Cybersecurity
Cybersecurity demands are increasing across most sectors. Covid19 increased phishing emails, loyalty scheme fraud, and attacks on remote networks. With more organizations sending employees to work from home, remote access, digital platforms, and remote tooling access all become critical security points.
Digitization – Today, most financial firms are at least somewhat digitized. This means they work in digital environments with cloud tooling, cloud infrastructure, and Software-as-a-Service programs. These enable remote work but put additional stress on security through increasing access points, remote access points, and individual employee security.
Cybercrime linked to Covid19 – Most industries saw a massive uptake in phishing and other forms of cybercrime following coronavirus. Hotspots include phishing emails, fake employee loyalty programs, and increased data exposure over remote networks. The New York Department of Financial Services released an update following a massive uptick in reported breaches.
Third-Party Risks – Financial vendors increasingly face risks not through their own software and infrastructure, but through partners and third parties. APIs, hosting applications, CMS, and other web applications can all generate risk. Preventing that risk means holding those organizations accountable to cybersecurity standards relevant to your organization, asking to see compliance certificates, and ensuring that they complete pentesting to understand risks.
Currently, the average financial organization spends about 0.8% of total revenue on cybersecurity, or about 8.2% of total IT Security budget. While that might sound like a lot, it’s actually down from 2019, when cybersecurity made up 15.2% of the average IT budget. Averages also mean that bottom-spenders are looking at 0.2-0.4% of revenue and the very top performers spend as much as 3% of revenue on security. At the same time, it’s not always about how much you spend so much as how you spend the budget.
Understanding Risks
Most financial organizations are at risk of physical location and online breaches. Most financial organizations face at least the following risks:
- Service providers (TSP, MSP, CSP) introducing wider and more interconnected attack surfaces
- Credential/identity loss/theft/mismanagement
- Endpoint security (Workstations, printers, Point of Sale)
- Data theft and manipulation
- Malware / Randomware
- Phishing
In 2020, financial organization spent cybersecurity budget:
- 19% cyber monitoring operations
- 18% endpoint network security
- 16% identity and access management
- 13% cybersecurity governance
- 12% application and data protection
- 10% third party vendor security management
- 8% cyber resilience
As application and endpoint security risks rise, it’s a good idea to review if spending is still in the right places, and if reallocation of budget or increasing budget might reduce risk and eventually save money for the organization.
Risk Analysis – Completing a cybersecurity risk analysis is one way to fully understand risks for your organization and assets. Here, it’s critical to have the assessment performed by a neutral third party, capable of reviewing work, security efforts, and internal security management.
Regular Pentesting – Pentesting can help you to identify and resolve security issues. Modern pentest-as-a-service means pentesters deliver findings and vulnerabilities as tickets, which your developers can immediately act on. Pentest-as-a-Service also offers long-term risk and vulnerability management, so you understand where your organization’s largest cybersecurity risks lie, so developers can focus efforts on resolving those problems. New trends, like integrating pentesting into development cycles also means added security, as new websites, applications, and features are tested before launch.
Financial organizations face some of the highest cybersecurity risks of any industry. At the same time, those risks are increasing, and rapidly. Reassessing, reallocating, and increasing budget to meet those changing needs could be critical to protecting clients and your organization.
If you’re ready to work on cybersecurity for your financial organization, PentestHero is here to help. We offer pentest-as-a-service via our secure online dashboard, so you can onboard developers and integrate pentesting into development cycles, test to resolve security errors, and maintain compliance through a single platform. Click here to learn more.