The threat, cost and complexity of cybercrime continues to rise, keeping it on the agenda of the C-suite despite the efforts and investments made to date. According to Accenture research, the average cost of cybercrime was up 11% last year across all industries, to $13 million per year.
Since financial services firms are, to paraphrase Willie Sutton, “where the money is,” it should not be surprising that financial services firms spend more to fight cybercrime than any other industry, with an average expenditure of $18.5 million annually. The most expensive type of attack – costing the most and taking the longest to resolve – is what is termed the “malicious insider” attack, perpetrated by an individual or individuals with system access. Such attacks cost nearly $250,000 and take more than 50 days to resolve, on average.
To measure the cost of cybercrime, we asked organizations to report their spending to discover, investigate, contain and recover from cyberattacks, along with expenditures that result in after-the-fact activities and efforts to reduce business disruption and the loss of customers. These costs do not include outlays and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.
Although the increase in cybercrime creates uncertainty – 79% of business leaders in a separate survey said that digital business models introduce technology vulnerabilities faster than they can be secured — new solutions incorporating artificial intelligence, automation and machine learning provide very high returns on investment.
However, only about a third (34%) of financial services firms are using AI, automation and machine learning to combat the challenges of cybercrime. And investment is also lagging in other key areas including security intelligence and threat sharing. As a result, financial services firms have a gap (or at least a timing lag) between the technologies they currently use to contend with cybercrime compared to the technologies available, resulting in higher levels of costs and complexity for their cybercrime approaches and solutions.
There are three key steps that financial services firms can take to close this gap:
- Manage the cost of discovering attacks. The largest component of cyber-crime spending is in discovering attacks. This is an area in which automation (including artificial intelligence and machine learning) and advanced analytics can really help in keeping costs down.
- Educate and test your people. Employees play a critical role in detecting and potentially preventing breaches and are often a firm’s first line of defense. Firms should prioritize training for all employees, and, in addition, some form of realistic cybersecurity testing for security staff. Banks, insurers and capital markets firms can use red teams, which are comprised of creative thinkers and top information specialists, to attack or test live systems and processes to better understand their detection and remediation capabilities in the case of an actual attack.
- Focus on information loss. The theft of information in the form of client data can be massively disruptive and can also put companies in violation of new privacy regulations like GDPR (General Data Protection Regulation) and the forthcoming CCPA (California Consumer Privacy Act). And data doesn’t need to be stolen – it can be tampered with or held for ransom without ever leaving the environment. Firms, therefore, should focus investments on limiting information loss and preventing resulting business disruption.
In addition to these specific steps, financial services firms can help themselves by establishing meaningful benchmarks to measure investments in cybersecurity protection, then working systematically to meet targeted objectives. Firms with effective, measurable investment programs, combined with a willingness to evolve these programs and keep focus, should be best positioned to realize this potential value.
originally posted on Forbes.com by Steve Culp