Other parts of this series:
In my first blog in this series, I spoke in general of the cyber vulnerabilities that let criminals inside a financial services firm. Here, I want to look more specifically at where companies should consider investing to avoid significant losses from cyber crime.
First, though, where is the money going right now? Of the financial services companies surveyed as part of the “2017 Cost of Cyber Crime Study,” an Accenture and Ponemon Institute report, the biggest security investments for financial services firms (41 percent of all security spending) go into basic detection. (The next most important spend activity, “recovery,” is only 19 percent. See Figure 1.)
Figure 1: Percentage costs of internal cyber security activities, financial services companies
Let’s then map that spending against the most expensive consequences of cyber attacks in financial services. There, among respondents to the survey, the overwhelming “winner” (as it were) is information loss—52 percent cost by consequence, well ahead of business disruption (35 percent) and revenue loss 13 percent (see Figure 2).
Figure 2: Percentage cost of cyber attacks by consequence, financial services companies
Those results make sense. Think of some of the worst security breaches in recent memory and they were about loss of critical customer data. For example, more than 140 million customer records were exfiltrated from a leading credit reporting agency, exposing highly valuable personally identifiable data such as Social Security numbers, dates of birth and driver’s license information.
These kinds of data breaches are incredibly costly. Estimates put financial losses from a severe event into the tens or even hundreds of millions of USD. On top of that, you’ve got damage to your brand and reputation, as well as ongoing financial and legal exposure. While stock prices seem to recover from these consequences in many cases, senior executives often do not, with many being asked to leave by shareholders or the board.
Figure 3: Positive and negative value gaps associated with security investments, cross-industry
Measuring the value gap
To better understand the effectiveness of investments in cyber security, we analyzed nine security technologies across two dimensions: (1) the percentage spending level; and (2) the gap between spending and value received in terms of cost savings to the business. The findings illustrate that many organizations may be spending too much on the wrong technologies. Looking first at the global, cross-industry report, five of the nine security technologies had a negative value gap—meaning the percentage spending level is actually higher than the relative value to the business (see Figure 3).
One noteworthy finding: Many companies have over-invested in advanced perimeter controls, probably in the hope that it will compensate for weaker security elsewhere. That is not a winning strategy. There is always a way through the perimeter, with the criminals resorting to social engineering if needed.
Of the remaining four technologies, three had a significant positive value gap and one was in balance. That means there’s an opportunity to evaluate potential over-spend in areas that have a negative value gap and then rebalance those funds by investing in the breakthrough innovations that deliver positive value.
In financial services, on the other hand, there was less of a mismatch between spending and value. Firms are currently pretty successful at getting value from what they’re paying. We again see that financial services is leading the way in security among respondents to the Accenture and Ponemon Institute study. The most prevalent technologies used in the industry are:
- Security intelligence systems (71 percent of firms have deployed)
- Advanced identity and access governance (67 percent)
- Advanced perimeter controls (62 percent)
These match up well when we look at the survey data about return on investment (ROI) in financial services:
- Security intelligence systems (21.3 percent ROI)
- Advanced identity and access governance (16.2 percent)
- Automation, orchestration and machine learning (18.6 percent)
- Advanced perimeter controls (15.7 percent)
Even where there was a value gap in financial services, it was relatively small:
- Advanced identity and access governance (-1 on the 10-point scale used in the research)
- Extensive deployment of encryption technologies (-1)
- Enterprise deployment of governance, risk and compliance (-1)
(Looking across multiple industries, some value gaps were as high as 3 or 4.)
Finally, our Cost of Cyber Crime Study also uncovered a big area of opportunity: Only about 1 in 4 financial services firms (26 percent) have deployed artificial intelligence-based security technologies and only 31 percent are using advanced analytics solutions. I’ll address that situation in the next blog in this series.
For more information, take a look at our presentation summarizing the economic impact of cyber attacks in financial services.
- Cost of Cyber Crime Study, Accenture and Ponemon Institute, February 2018.