Netwrix conducted its 2017 IT Risks Survey to learn more about the security, compliance and operational issues that bother organizations in more than 30 industries worldwide.
We continue to review the main cybersecurity risks that bother organizations of various sizes and industries. Did you miss the previous blog posts? Catch up here: IT Risks in SMBs and Enterprises and IT Risks in Healthcare. This post is going to be dedicated to the financial vertical. Without further ado, let’s begin with a brief overview of the main results we received for the financial industry.
What is cybersecurity context in financial organizations?
55% of IT operations teams in the financial sector perform all or part of security tasks
Compared to other verticals, the financial one has accomplished some impressive things. One-third of financial organizations already use software for information security governance or risk management. As many as 64% of financial organizations have a separate information security function. Still 55% of IT operations teams perform all or part of security tasks.
The cybersecurity context in financial organizations may not look flawless, but the majority has a pretty mature information security strategy. On top of that, 92% of our respondents told us that, overall, the established processes and controls are adequate in regard to their organizations’ specifics.
What’s secured and what’s not?
91% of financial organizations have complete visibility into user activity in databases
Financial organizations prioritize the security of their databases, which contain sensitive information. Here, they are true champions among other major industries we’ve surveyed: 91% of respondents from financial organizations have complete visibility into what is happening in and around their databases. Another industry that pays close attention to structured data is health care, though only 56% of respondents from health care claim to be aware of the activity in databases. Other major industries seem to be more system-centric rather than data-centric.
The most neglected areas, in terms of security, are BYOD, mobile devices and unstructured data stored in a third-party data center. While these areas also bother other industries, the financial industry succeeded in gaining an understanding about activity in them: Only one financial organization in ten admits to having zero visibility in this area.
While security of unstructured data doesn’t bother financial organizations that much, visibility into user activity in mobile devices (50%), cloud systems (57%) and on-premises systems (55%) is considered critical for the overall security of the IT infrastructure. We most likely will see improvements in these areas in the near future.
However, what does visibility bring to financial organizations? It brings information straight from the source: Good visibility into what is happening in mission-critical systems helps better detect and mitigate the notorious human factor (82%), investigate security incidents (82%) and even act more proactively in regard to risk prevention (73%).
Who is the main threat?
82% of financial organizations consider insiders with legitimate access the main threat to security
According to 55% of financial organizations, employees represent the biggest threat to cybersecurity; 27% said that third parties with legitimate access to internal systems, such as partners, contractors, vendors and so on, put their organizations at risk. That’s another aspect that makes the financial industry stand out. Financial organizations are confident about their perimeter defense and their ability to confront threats from hackers, but only until hackers do not take advantage of those with legitimate access.
Nevertheless, financial organizations succeed or fail at gaining visibility into user activity only in certain systems or devices. Establishing visibility into user activity across critical systems still requires a significant effort. About 27% of financial organizations don’t have complete visibility into employee and IT admin activity in the IT environment, and 36% of respondents are not fully aware of third-party activity.
What were the causes of IT incidents in 2016?
27% of financial organizations had security incidents due to human errors in 2016
We studied three groups of IT risks: compliance, security and business continuity. Let’s take a quick look at what caused the incidents in each area in 2016.
- Compliance risks. Though the financial industry has been heavily regulated around the globe for a long time, it struggles to meet the ever-tightening regulatory requirements. About one-third of respondents had compliance issues in 2016. Mostly, these issues happened because organizations could not provide complete evidence of compliance. This is typically a sign of poorly established IT auditing and reporting processes.
- Security risks. About 27% of financial organizations experienced security incidents due to human errors: 18% due to malware, and 9% due to insider misuse. While employees remain the main threat, the share of the affected financial organizations is also significantly lower than in other major industries.
- Business continuity risks. Financial organizations are still not satisfied with system performance, and 18% of respondents experienced system downtime due to the inability to quickly start operations after a crash. However, 9% of financial organizations are concerned about malicious user activity that impacted operations. When it comes to business continuity, the financial sector was not as massively affected as the other industries.
Are you ready to face cybersecurity risks?
36% of financial organizations firmly believe they are ready for cyber threats
This is the question we asked our respondents to get a better understanding of their overall perception of how well their organizations are prepared to face cybersecurity risks. Despite all the positive figures describing the security posture of the financial industry compared to other verticals, only 36% of respondents are sure about their cybersecurity super powers.
The rest are insufficiently prepared to beat IT risks. Reasons for that are lack of time (55%) and budget, of course, and increased complexity of IT infrastructure (45%). Threats are nearly infinite and, with such a huge attack surface and not always obvious interconnections among systems, security requires constant investments, never reaching perfection. Without a centralized and easily readable log, it becomes almost impossible to investigate and resolve incidents and provide proof of compliance, especially when human resources are limited and IT operations teams handle too many tasks.
Respondents from other industries quite often complain about poor involvement of senior management in hardening security. This is also the case for a small percentage of financial businesses, but in the majority of financial organizations, IT risk mitigation is clearly a top-down process.
Here is what you can start with to minimize the risk of threats to security, compliance and business continuity:
- Hire dedicated security and compliance personnel to make sure that these areas are not neglected while IT operations are loaded with business user support and maintenance tasks.
- Increase personnel’s awareness of what users or adversaries that go under employees’ accounts do in the IT environment. A recorded track of activity will help personnel detect and investigate threat patterns, timely eliminate issues, keep data secure and systems available, provide a proof of compliance to auditors and improve compliance ratings.
Problems are inevitable, but the financial sector is prepared (and probably targeted) more than any other industry we’ve surveyed.
What is coming next? The majority of financial organizations (82%) say they are going to focus on sensitive data protection, especially on protection against data breaches—the most common nightmare among financial business.
View the full infographics (click on the image to open a high resolution version in a new tab).
Interested in learning more about other findings from this survey? Please read the full Netwrix 2017 IT Risks Report.