Other parts of this series:
Direct cyberattacks are down, but indirect attacks are more widespread than believed.
The good news for banking and capital markets (CM) firms coming out of Accenture’s latest edition of the “State of Cyber Resilience” report is that security breaches are 25 percent lower than in the 2018 survey. Direct attacks are down 2 percent.
The troubling news, however: Indirect attacks are far more widespread than believed. Almost 40 percent of breaches now come through the indirect route—through vulnerabilities in the defenses of vendors, partners or subsidiaries. These exposures take the form of things like injection of malicious code to a vendor’s site, downloaded open-source libraries or a vendor’s misconfigured server.
We found 65 percent of banking/CM institutions indicate staying ahead of attackers is a constant battle—and the cost is ultimately unsustainable.
One of my other takeaways is that, while the number of breaches is down, firms are not recovering fast enough from those that do occur. We can see this clearly by comparing banking/CM companies against the group of cross-industry cybersecurity leaders in our global survey. For example:
- Time to detect a breach: Eighty-eight percent of cross-industry leaders discover a breach in less than a day, but only one-third of banking/CM institutions can say the same.
- Ability to remediate a breach within 15 days: Ninety-six percent of leaders achieve this, versus 44 percent of banks/CM firms.
- Breaches with no material effect (a breach notification was required, but little or no damage was experienced): True for 58 percent of leaders, but only 32 percent for banking/CM.
It’s a promising sign that firms are investing in cybersecurity at higher levels than last year. But can they keep up with the annual increases in costs? We found 65 percent of banking/CM institutions indicate staying ahead of attackers is a constant battle—and the cost is ultimately unsustainable.
Why are indirect attacks so hard to defend against?
A modern business simply can’t compete without relying on an extended network of vendors and other third parties. In fact, a survey-based study among IT professionals found the average corporate network is accessed by 89 vendors every week. This ecosystem is likely to grow in scale and importance over time. The same study found most respondents expect their companies to become more reliant on third parties. Yet, this is a major vulnerability. The indirect route to cyber break-ins is a form of attack that is likely to grow, and one many firms have little visibility into.
In my work with clients, I have witnessed firsthand the enormous challenges they face in managing third-party cyber risks. Large volumes of data can overwhelm the teams responsible for managing compliance. The complexities of global supply chains, including the regulatory demands of various regions or countries, add to the strain. The nimbleness of small subsidiaries or suppliers can be hamstrung by the central security requirements of the parent.
What can you do?
The answer to the indirect attack problem is fairly easy to explain, though much harder to implement and manage over the long term. It is to put in place the policies, governance and enforcement such that any third party connected to your network requires the same security standards you do. Otherwise you’ve got to treat them completely at arm’s length. If you don’t follow this policy, your network is only as secure as the least secure entity connected to you, and all your security spending might be going to waste.
When we turn to the issue of subsidiaries, we see the problem in especially stark relief. Companies may presume they are treating those entities as a separate company, but in fact electronic trust is most likely fully established between them. Emails from subsidiaries, for example, are usually not marked “external.” That means a security compromise at the subsidiary gives an attacker a perfect platform to send phishing emails to the parent company, too. Soon, the parent’s network is compromised, as well.
Spending wisely, helping others
Given finite security resources, there is value in a data-driven, business-focused approach to securing the enterprise ecosystem. This may mean using threat intelligence reports to risk-prioritize which vendors need better security solutions. A managed security services approach can help an organization keep vendors or subsidiaries at arms-length, where they are not connected to the parent companies’ systems, including its security apparatus. This approach can help tackle issues at a larger scale and with a wider scope, without burdening the corporate security department.
By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organizations can help themselves while also helping smaller vendors, allies and partners to beat cybercrime.