While the financial services industry is relatively mature in terms of its software security posture, organizations are increasingly facing cyber attacks
When it comes to cybersecurity awareness and practices, CIOs in the banking and financial services industry are at a much higher maturity curve than their peers. Despite their awareness and concerns about online threats, a new study found that banking organizations are struggling to manage cybersecurity risks, with many CIOs acknowledging that they are still not doing enough to protect their systems, networks and data.
The Synopsis report, based on a survey of CIOs and IT security practitioners from global financial services organizations conducted by Ponemon Institute, found that more than half of these firms have experienced theft of sensitive customer data or system failure and downtime because of insecure software or technology.
Besides, the study shows, banking and financial firms’ CIOs are struggling to manage cybersecurity risk in their supply chain and are failing to assess their software for security vulnerabilities before release.
“While the financial services industry is relatively mature in terms of its software security posture, organizations are grappling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries,” says Drew Kilbourne, Managing Director of Security Consulting for the Synopsys Software Integrity Group.
There are three key findings from the study:
1. Most FSIs are ineffective at preventing cyberattacks. As per the study, more than half of respondents have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology. Predictably, the study shows that more organizations are effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).
2. CIOs are struggling to manage cybersecurity risk in their supply chain. Nearly three-quarters (74%) of CIOs in the FSI segment were concerned or very concerned about the security posture of third-party software and systems. Despite this concern, only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems. Furthermore, only 43% of respondents said they have a formal process for inventorying and managing the open source code in their software portfolios.
3. FSI organizations are failing to assess their software for security vulnerabilities before release. While most organizations follow a secure software development life cycle (SDLC) process, respondents reported that their organizations test, on average, only 34% of all financial software and technology developed or in use by their organization for cybersecurity vulnerabilities. For the software and technology that is tested for vulnerabilities, only 48% of respondents reported that security testing occurs in the pre-release phases of the SDLC, such as the requirements and design phase or the development and testing phase.
How banking CIOs can keep hackers at bay
While it is impossible to make an organization bulletproof, the survey results show that organizations are aware that they have a problem. Hence, here are some key takeaways for CIOs in financial organizations to keep the hackers away – securing their turf both from an external as well as internal perspective:
- Using automated tools that can help developers find and fix bugs before pen testers find them later, when they take more time and money to fix.
- A second fundamental is to address third-party risks, because if they can get hacked, you can get hacked. So organizations should require their vendors to test their software during development, to demonstrate compliance with industry security standards and to use an independent measurement of their SSI.
- CIO/CISOs should secure the supply chain from insider threats. This often requires new workflows and governance processes.
- Organizations should make the workforce security savvy by proper security training and empowerment. This initiative should be led by CIO/CISO/CTO or a security expert in top management
- Make sure devices and servers are configured correctly. For this, the IT or security team should be on the lookout for patches and install them immediately.
- An end-to-end encryption helps. CIOs should ensure they have secure encryption key management.
“There is no single right approach to software security but this study clearly shows that there is a significant need for improvement in supply chain risk management. There is also an opportunity for many organizations to expand the scope of their software security programs to cover all their business-critical applications and shift their efforts further left in the software development life cycle,” says Kilbourne.
Much of that is the digital equivalent of locking the safe and the doors at night and turning on the security system. The study researchers believe, any organization that does all that will be better than above average.