Why is your financial response plan static against dynamic risk?

By Kev Breen, Director of Cyber Threat Research, Immersive Labs

 

When it comes to cyber security, there is a grave misconception that financial services are the most secure industry. This perception comes from the massive security budgets that financial organisations tend to have. In fact, the combined BFSI industry leads the line in cybersecurity spending, holding 18.7% of the global security market share.

However, larger budgets don’t always mean better security. This is evident from the number of losses financial organisations suffer each year from successful attacks. In the banking sector alone, the annual cost of cyber-attacks reached $18.3 million per company last year.

Effective security often boils down to strategic elements such as how well organisations are managing risks, what response plans are in place, and how well the workforce is capable of tackling dynamic threats.

We talk to Kev Breen, Director of Cyber Threat Research from Immersive Labs in order to understand the critical issues of human cyber capabilities and threat response plans in today’s financial services industry.

 

Why does the financial sector continue to be a frequent target of cyber-attacks?

The critical and sensitive nature of this industry makes financial organisations a more lucrative target for threat actors. Ultimately, it’s where the money is. Organisations like commercial banks, investment firms, accounting firms, insurance companies, and brokerage firms hold a lot of sensitive data – not just from individual users, but also from businesses and governments. These companies are a gold mine for attackers, in terms of data.

Also, targeting financial organisations allows threat actors to cause mass-scale disruption. For example, if a banking system is hit by a ransomware or Distributed Denial of Service (DdoS) attack, it will hinder its ability to effectively serve the customers until services are restored – leading to significant financial disruption. These are the key reasons why financial organisations continue to be frequently targeted despite investing heavily in cyber security.

 

What are the shortcomings of current financial response plans that are leading to this influx of successful attacks?

An effective threat response plan is critical for any organisation. When faced with sophisticated attacks like ransomware, your response plan determines how efficiently the workforce manages the security incident. However, the issue is that most financial response plans are static. They look good on paper but have little effect when the situation comes to be.

Also, organisations often don’t test these plans against real-world scenarios. They are established like a theoretical strategy, without any practical assessment or evidence to support its effectiveness in the face of a real security incident.

For example, in a traditional response plan, potential risks are identified, proposed response plans are outlined and then filed away for use when the incident occurs. However, sophisticated risks like ransomware are dynamic. They don’t always follow the same pattern or same variables. Also, they don’t always target the same files. So, if the response plan is not tried and tested against different scenarios, you can’t ensure that it will hold up when threats break.

Moreover, ransomware attackers are now applying a double extortion method. They don’t just encrypt and lock away your sensitive data but also exfiltrate it – threatening companies to pay up immediately or see it get leaked on public domains.

Another critical issue is that most companies develop their threat response plan with only the IT and security teams in mind. However, threat actors can target any department across your workforce, whether it’s the sales team, marketing team, or general admins. Threats like ransomware need a collective response. Every employee has a role to play.

If the response plan or training programs are just catering to the security teams, other employees won’t have the required knowledge or information to fulfil their responsibilities during an incident.

Therefore, in such an unpredictable threat landscape, businesses can’t rely on a static response plan. Chances are that their pre-determined plans won’t fit the variables of the attack or demand during the crisis. These implications were also evident in our latest research findings.

We found that financial organisations performed second worst in crisis simulation exercises out of 10 industries. In fact, out of the top ten worst decisions during a crisis, five came from financial services organisations. So, it’s safe to assume that most financial organisations lack the human-cyber capabilities to make adaptive and agile decisions when faced with dynamic threats like ransomware.

 

Why does it take so long for financial organisations to develop the necessary skill to defend against cyber-attacks?

Our research found that financial services organisations need an average of 97 days to develop the skills necessary to defend against critical cyber risks. National cyber security bodies recommend that businesses should not take more than 48 hours in patching vulnerabilities and implementing their response plan after the initial detection. Clearly, there is a major gap in human cyber capabilities for such organisations.

The reason for this gap comes down to the lack of cognitive agility among the workforce. Cognitive agility is the ability to adapt and shift our thought processes when faced with critical scenarios. Organisations need a workforce that can make agile and conscious decisions quickly when faced with diverse threat scenarios.

Cognitive agility inevitably increases the human-cyber capabilities of the entire workforce. Employees can consider the different aspects of an attack and make better decisions, instead of following a scripted response plan that wasn’t developed with a consideration of dynamic risks.

 

What are the proactive steps financial services organisations can take to develop cognitive agility amongst their workforce?

To build cognitive agility among the workforce, financial organisations need to prioritise a cadence of exercising. Simply launching training programs isn’t enough, they need to focus on scenario-driven simulations and test exercises. The aim is to build an entire workforce that can function as adaptable incident responders, who can think on their feet, and effectively react to the situation in from of them.

That’s why scenario-driven exercises are critical. You’re not teaching people to respond to a specific crisis, but rather helping them develop critical thinking and decision-making skills.

It’s also important to consider how you are distributing such exercises across the entire organisation. Financial companies tend to have a very diverse workforce, with multiple different departments and multiple roles. Employees of each department have different skills and knowledge levels. Some might already have a great knowledge of the security domain, while some might be very new. So, making everyone go through the same level of exercises won’t get you the desired benefits.

This is where Cyber Workforce Resilience becomes significantly useful. It’s a robust model that allows companies to benchmark their current human-cyber capabilities, measure the knowledge, skills, and judgement of the current workforce, and prioritise exercises where they’re needed. Cyber Workforce Resilience helps to map human capability within the workforce and generate data/insights to produce a real-time picture of the organisation’s cyber resilience.

Benchmarking current knowledge, mapping out human abilities, and regularly exercising capabilities based on different scenarios will help build a resilient and agile crisis response team, who are always ready to take effective decisions – regardless of how dynamic the risks are.

spot_img

Explore more