Skip to main content

Financial services firms aren’t confident in their cybersecurity, despite more tools and investment

April 13, 2022

David Moth

New research shows that security leaders in financial services aren’t confident in their security controls or their ability to prevent a ransomware attack.

Financial services firms are a prime target for cyber criminals due to the potential rewards on offer. For threat actors looking to make a profit, breaching a bank would deliver a bigger payday than going after a small business.

As a result, the financial services industry is among the biggest spenders on cybersecurity. However, our research shows that higher investment doesn’t necessarily give you greater confidence in your security controls.

Data from our 2022 Security Leaders Peer Report shows that just 32% of respondents in financial services are ‘very confident’ their security tools are deployed and working as expected at any given moment. This compares to 54% among those in the energy industry and 36% among all respondents to the survey.

This is part of a broader trend revealed by our research — security leaders in financial services are less confident in their security posture than peers in other industries.

Cybersecurity in financial services

Financial services organisations have more mature cybersecurity programmes compared to most other industries. This is driven by a combination of factors – greater understanding of risks, bigger budgets, and more regulation.

As a result, FS firms tend to be better protected and use more sophisticated security technology. Our research shows they typically have 82 security tools, compared to an average of 76 among all respondents.

Respondents 'very confident' in security tools

But as we’ve already seen, having all this extra technology doesn’t mean FS organisations are more confident in their security controls. A majority can’t be certain their security tools are protecting their environments at all times. And there’s good reason for this — almost 90% of those working in financial services admitted they’d been surprised by a security event, incident or breach which evaded a control they thought was in place (vs. 82% on average).

Security automation is a potential solution to this problem. It enables organisations to continuously evaluate their controls and identify control gaps or out of policy issues, giving them greater confidence in their security posture.

Automation also makes organisations more efficient by removing the need to manually collate data across different security tools. Our research found that security teams in financial services spend half their time (50%) manually creating reports — time that would be better spent on fixing vulnerabilities.

The ransomware threat in financial services

Ransomware is a priority risk within all industries, including financial services. The potential losses in fines, ransoms and reputational damage can run into tens of millions of dollars, so senior stakeholders place a lot of focus on ensuring their security team is protecting the organisation.

Nearly all security leaders in financial services (95%) report to their board on ransomware protection levels, which is in line with the overall average (91%). However, respondents in FS are again much less confident in this area than those in other industries.

Our research shows that just a third (35%) of FS security leaders are ‘very confident’ in their ability to continuously measure security controls that mitigate the infiltration, propagation, and exploitation of a successful ransomware attack. This compares to 55% in the energy sector, 47% in healthcare and 41% on average among all respondents.

Respondents 'very satisfied' with ransomware reporting

This is likely causing security leaders to lack confidence in the reports they give to senior stakeholders. On average, 45% of respondents are ‘very satisfied’ with the time, resource, accuracy and detail of their board reports on ransomware. But in FS, this falls to just 33%, the lowest of all the industries included in our survey alongside utilities (for example, 68% of those in the energy industry said they are ‘very satisfied’).

To help overcome this problem, we recently published a CISO’s guide to creating effective ransomware board reports, which looks at why security leaders might lack confidence in this area and gives practical advice on how to improve.

Building confidence with security automation

Clearly something needs to be done to give financial services security leaders more confidence in their controls and security posture. Part of the problem is undoubtedly the frequency and sophistication of the threats facing financial services organisations — but simply increasing tools and investment to counter those threats isn’t yet translating into greater confidence.

Instead, security leaders need to look at ways of driving efficiencies and building trust in their existing data through automation. Panaseer’s Continuous Controls Monitoring (CCM) platform uses security automation to solve many of the problems highlighted by our research. It brings together data from all your security tools, giving total visibility into your assets and controls, so you can be confident there are no gaps in your coverage.

CCM also removes the need to manually analyse security data and ensures that metrics and measures are accurate and trustworthy. And by enriching the data with business context around processes and ownership, you can better prioritise remediation campaigns against the issues that matter most to your business.

The value of CCM is clear to most financial services organisations. In fact, all the FS respondents in our research said they would likely implement a CCM tool within the next two years, while around a quarter (26%) said they already have one. If the industry can continue that momentum, it could go some way to giving CISOs in financial services greater confidence in their security reporting.

Book a demo with our team to find out how Panaseer’s CCM platform can give you greater accuracy and confidence in your security metrics and controls.