The lights are on, but is anybody home? Source: Shutterstock

Banks upping spend on cybersecurity and ready for the challenge

  • The finance sector is knocking up cybersecurity spend per employee, as its workforce largely remains remote
  • Industry is the most targeted, but its also one of the best fortified
  • Breaches like that of CapitalOne have been a warning to all 

Banks and other businesses in the financial services sector have ramped up cybersecurity spending this year, in order to fortify new work-from-home arrangements and a surge in cyberattacks leveraging the coronavirus crisis.

That’s according to a survey by Deloitte and Touche LLP, and the industry group Financial Services Information Sharing and Analysis Center (FS-ISAC), which found that average spending per employee was budgeted at US$2,691, up from US$2,337 in 2019. 

Some firms have budgeted as much as US$3,322 per employee, whereas US$3,000 stood as the maximum spend last year. 

The sums aren’t particularly mind-blowing at first glance, but as Bloomberg notes, they would translate to US$850 million annually for JMorgan Chase, and nearly US$900 million for Wells Fargo. 

The world’s largest banks shifted large chunks of their operations to remote working models this year, the many are still yet to return to offices given the sheer size of the challenge in safeguarding the health of employees. 

Some 70% of workers in the finance and financial services industry have been doing their jobs remotely as a result of the outbreak, according to SurveyMonkey data. Many workers are reporting wanting to work from home permanently, while the head of UK bank Barclays stated that the “notion of putting 7,000 people into a building” each day may well be a thing of the past, with 70,000 of the bank’s employees successfully working remotely. 

Under attack all times

Shifting entire organizations – regardless of the sector they operate in – into fully remote-working operations will expose new vulnerabilities. But the banking sector, perhaps unsurprisingly, is invariably the most-targeted industry by cybercriminals; banks offer multiple avenues for profit through extortion, theft, and fraud. Comprising information such as date of birth and address, customer data is simply more valuable here. 

In a year that’s already bore witness to the ongoing severity and sophistication of ransomware attacks, cybersecurity is rocketing further to the fore as a key industry priority. The results of not doing so have been hung out in sight, with the recently prescribed US$80 million fine of CapitalOne for stemming from a risk assessment oversight ahead of an AWS cloud migration. 

The breach affected 100 million individuals in the United States and approximately 6 million in Canada, and allowed the hacker to make away with about 140,000 Social Security numbers and about 80,000 linked bank account numbers of CapitalOne’s credit card customers.

The penalties haven’t only been financial, the brand has suffered severe reputation damage as a result of the breach too.

Particularly as more services and customers go online, there is mounting urgency for banks to bolster their cybersecurity. Last year, the Financial Conduct Authority (FCA) in the UK identified an increase of 1000% in cyberattacks between 2017 and 2018. The financial services industry attracted more than a quarter of global malware attacks. 

Given that in the UK alone, £671 million (US$878 million) was lost to card fraud last year, the extra costs of cybersecurity offer a prudent investment. 

Ready and resilient

Because of the weight of responsibility on their shoulders and the level of risk facing them, cybersecurity among members of the banking sector is some of the most advanced and innovative. Many, therefore, have been remarkably quick to adapt to the changing demands of remote working.  

Leaders have had to address training gaps and call on workers to maintain digital hygiene, entrusting them to patch their own computers and update mobile software. McKinsey reports a large bank adjusting its security policies, including running more frequent and tailored awareness campaigns, resulting in a 95% improvement in employee click rates during monthly anti-phishing tests. 

Other measures have comprised restricting the use of USB devices, while shifting contact centers into the cloud has meant adopting specialized, secure remote hardware. 

Another unnamed large bank conducted threat modeling on both its new collaboration tools and unauthorized tools introduced by employees during the remote working shift. Other measures have been customer-focused, such as expanding biometrics and device-based authentication for sensitive transactions on new, digital channels. 

Banks are also investing in advanced, AI-powered security tools for things like fraud prevention; models which have been instrumental from early on among fintech challengers like Revolut, which developed its own AI fraud detection tool, Sherlock

While distributing an entire bank to the various living rooms, kitchens and home offices of employees may certainly not sound like the safest move for the world’s most targeted industry, these challenges are only further magnifying the sector’s focus on cybersecurity, making them more resilient in the longer term. In that respect, a few hundred dollars per employee is a worthy investment.