In the U.S., October is “National Cybersecurity Awareness Month.” This year’s theme is that cybersecurity “is our shared responsibility” and we all should work together to improve our organization’s and the nation’s cybersecurity. One of the weekly themes of the campaign strikes a similar note: “It’s everyone’s job” to maintain cybersecurity at work, which highlights corporate efforts such as cybersecurity workforce education, training and awareness.
All good and correct. The need for an “all-hands-on-deck” approach to cyber defense is underscored by survey findings published in recent Accenture reports, “2018 State of Cyber Resilience.” The financial services research resulted in one report for Banking & Capital Markets, and another for Insurance.
For both sectors, a company’s internal cybersecurity team only identified, by themselves, about two-thirds of all breaches (64%). For breaches not found by the security team, 72% (banking) and 66% (insurance) were identified internally by employees. So cybersecurity really is “everyone’s job” at a financial services company.
The role of the customer
When it comes to banking in particular, cybersecurity roles extend beyond internal groups to include another category: customers. If we think about it from a retail perspective, the historical attitude of customers—particularly in North America—has been disengagement: “It’s the bank’s problem.” “If you keep my money, my money should be secure; if I use your credit card, the responsibility for theft and fraud rests with you, the bank.” In some geographies around the world, consumers are more sympathetic, but the risk is still owned by the bank.
The whole premise seems laughably insecure in a cyber-connected world. Let’s look at the situation from the perspective of both internal threats and external attackers.
Internally, banks historically relied on the premise that customers are honest and not a real threat source. Think back to the days when a physical signature was enough to move money. And though conventional wisdom dictated that about 5% to 10% of people will have less than honest motives, the system worked despite that. Now, in an interconnected world, that attitude falls apart because the 5% or so who aren’t honest can actually do 95% of the damage.
Externally, of course, the situation is dire. The threat landscape is evolving faster than many firms are able to cope with, revealing security gaps due to the rapid changes that digitization is bringing. Data sharing with third parties as well as open banking—the use of open application programming interfaces (APIs) that allow third-party developers to build applications and services around financial institutions—leave firms more exposed.
With this amount of risk exposure happening every day, consumers should recognize that the system only works if they’re prepared to support stronger security. The good news is that consumers seem ready for that.
That’s not necessarily because they are especially sympathetic to their bank’s financial well-being. Instead, a major reason for the shift in customers’ viewpoint is the privacy issue. Customers are more conscious of their personal risk exposure. It’s no longer just, “If my money is stolen the bank will make me whole.”
Now, customers realize that if their data is stolen, the bank can’t just make the problem go away. Through a breach at a financial services company, crooks can gain access to the history of every purchase a consumer has made, as well as social security number, credit history, salary and more.
A recent survey of 2,000 UK adults found that 72% worry that their details will be stolen every time they hand over bank information and email addresses to companies.
In light of that new awareness, more consumers are thinking and saying, “Actually, I want that information to be secure and if that means I have to enter additional security information or have my fingerprint or iris scanned, I’m good with that.”
Banks still bear most of the responsibility for fraud and breaches, but now that customers themselves are becoming more actively involved and accept their role on the cybersecurity “team,” the risk exposures of banks are being mitigated and reduced.