Home »
Cybersecurity threat could bring down banks
US and European banks fear that a cyberattack could diminish their economic viability. Dealing with such attacks costs an average USD 5.9 million per year, but investment by organisations to mitigate cyberattacks is negligible, says Peter McAllister, HP Information Security.
The UK is at the centre of the cybersecurity debate as the Government hosts the London Cyberspace Conference in November. State-sponsored online espionage and threats to the critical national infrastructure of developed economies from cyber attacks have focused minds on the urgent challenge of cybersecurity.
For the financial services sector, where credibility is king, cybersecurity is a truly business critical question. However, the responsibility for fending off these digital intrusions rests uneasily across state and private sector players, but their joint efforts are needed to protect the collection of vital national economic interests.
The Cyberspace Conference details, “Where the balance of responsibility lies for crime prevention between governments, industry and individuals,” as one of the issues delegates will consider. However, the theory may be easier than the practice.
Working through US research group The Ponemon Institute, Hewlett-Packard (HP) has spoken to 131 senior security managers from 89 major organisations in the US and Europe to produce the Cybersecurity Readiness Survey 2010. US and European financial
services participants totalled a quarter respectively.
While banks have long recognised the need for secure technology, one dilemma thrown up by the cybersecurity debate presents a challenge to established thinking in financial institutions. Across the business community there is a reluctance to admit any arm of government into their security arrangements.
The survey shows 80% of organisations expect a serious cyber attack in the near future, but over half of them, 51%, wish to be left alone to deter the threat without state involvement. In fact only 11% of European respondents and 19% of US ones embraced a collaborative strategy including other industries and government.
The survey does not preclude future cooperation with government. However Europeans are noticeably more reluctant to contemplate this than their US counterparts, 65% and 44% respectfully. This attitude could reflect a wider distrust of government fuelled by numerous high-profile information security lapses. For the financial sector, client confidentiality will always trump the benefits of collaborative action.
However, if a financial institution loses its reputation for securing client confidential data the consequences may threaten its very survival. The study underlines this point with what is perhaps the most alarming finding for financial institutions. It shows that 78% of US and 62% of European respondents think a serious cyber attack may diminish their organisation’s economic viability, bottom line or mission. It is this economic consequence that may focus industry minds.
A second Ponemon Institute study, commissioned by HP, The Cost of Cyber Crime, 2011 revealed the financial services; utilities and energy; and defence sectors all experience higher cyber crime costs compared to other sectors such as retail. With the study estimating the median annualised cost of cybercrime being USD 5.9 million per year, (based on a survey of 50 large US organisations from a cross-section of industries), the likely impact on the bottom line is significant.
Furthermore, with cyberattacks becoming ever more common this impact is potentially set only to increase. Over a four-week period, the organisations surveyed experienced 72 successful attacks per week, an increase of nearly 45% from 2010. Plus if not resolved quickly costs can spiral. The average time to resolve a cyberattack was 18 days, with an average cost to participating organisations of nearly USD 416,000. Yet in the US and Europe only 38% of security professionals have seen an increase in investment to mitigate or curtail cybersecurity threats (Cybersecurity Readiness Study 2010).
The findings of these reports are sobering, shedding light on the scale of the cybersecurity menace. Given the extent to which financial institutions rely on an image of competency and trustworthiness, it is hardly surprising that cyber intrusion strikes them as so dangerous. The interruption of services, theft of information assets and corruption of information all loom large as reasons why cyber crime cannot be disregarded.
As the London Conference may hint, formal cooperation between government and commercial technology managers is inevitable, primarily because the consequence of not on all could be significant. The challenge though to make it work is plain to see.
Peter McAllister is a security expert practice leader for HP Information Security
Date Posted:31st October 2011