Cybersecurity Spending Cut by 30% as Fraudsters Move to Internal Threats

U.S. financial institutions have highest rate of data breaches despite strict compliance mandates but security spending and encryption rates are decreasing, according to a new study from France-based tech provider Thales.

Thales, with a U.S. office in Austin, Texas, used research from global market intelligence firm Framingham, Mass.-based IDC, to reveal 62% have experienced a breach in their history, and 41% had a breach occur in the last year alone. According to the “2019 Thales Data Threat Report – Financial Services Edition,” U.S. financial services institutions are leading other industries when it comes to implementing digitally transformative technologies with nearly all (97%) surveyed claiming they use sensitive data within digitally transformative environments.

However, the study also found that encryption rates for the U.S. organizations surveyed are 31% or less, even though sensitive financial and payment data remained an attractive target for cybercriminals.

Rivka Gerwitz Little, research director at IDC Financial Insights, said, “Today sensitive data resides in digitally transformative, complex environments that span multiple clouds. These low encryption rates indicate U.S. financial institutions have a false sense of security as they also have the highest rate of data breaches compared to other sectors studied.” Little also observed a disconnect between the reality of data vulnerability and the utilization of inadequate protection with the proliferation of cloud adoption, the advancement of new banking systems and strict data privacy regulations.

The Thales Data Threat Report noted technologies such as big data, cloud, IoT, mobile payments and others introduce new threats to sensitive data. According to the study, 47% of respondents said they are either aggressively disruptive in their use of these technologies or are tightly linking them to an agile management vision. As financial service organizations fight to protect data in new tech environments, they become a prime target for malicious insiders and external attackers motivated by either financial gain or the desire to create chaos in financial systems.

According to the report, the following are the top threats:

• 54% – Cyberterrorists.
• 50% – Partners with internal access.
• 46% – Competitors.
• 45% – Cybercriminals.
• 44% – Nation states.
• 44% – Other IT accounts.

When financial institutions first began to open digital channels and enable mobility of both employees and customers, financial institutions invested in data protection. However, the new analysis indicated budgets have not kept up with fast-changing security threats. Security spending decreased by 30% over the past year from 84% to 54%. Additionally, sophisticated fraud rings have trained their own machine learning platforms and bots to crack financial systems. The research also found that alliances with third-party fintech firms to launch new services (open banking) is increasing the attack surface for cybercriminals, and creating opportunities for industrial espionage perpetrated by competitors who use the same partners.

A key finding of the report showed although organizations report having plans for adopting data security technologies, like encryption and tokenization, actual implementation rates are low. The survey uncovered that in some sensitive data use cases, less than a quarter of respondents said they were using encryption to protect cloud environments as well as newer sources like big data, blockchain, containers, IoT and mobile payments.

“Fraud and security teams are expected to be the enablers of innovation while securing an increasingly complex financial services environment,” Tina Stewart, vice president market strategy for cloud protection and licensing activity for Thales, stated. Plus, she pointed out, rapid digital transformation, driven by agile fintech start-ups and the open banking trend, shows no signs of slowing down. “In addition, protecting sensitive data becomes even more difficult with shrinking security spending and encryption rates that are far too low.”

As with other industries studied, financial institutions are shifting resources to the cloud and are implementing complex hybrid and multi-cloud environments. Nearly half of the respondents have 50 or more software-as-a-service applications, 83% have two or more platform-as-a-service applications and 85% of respondents have two or more infrastructure-as-a-service applications. Financial institutions are finding that managing multiple cloud instances introduces new challenges. More than half (53%) of those surveyed rated complexity as a top barrier to implementing data security.

A variety of federal (Dodd-Frank and Sarbanes-Oxley), state (New York Department of Financial Service 500 and the California Consumer Privacy Act) and global (General Data Protection Regulation) privacy and compliance regulations impacts 87% of surveyed financial institutions with some of the toughest guidelines. The report showed that U.S. financial services institutions use encryption and tokenization at higher rates than other industries studied, and more than half (57%) plan to use these technologies to help meet regulatory requirements.

IDC recommended the following key strategies for financial services security professionals:

1. Focus on all threat vectors.
2. Invest in modern, hybrid and multi-cloud-based data security solutions that scale to modern architectures.
3. Look for solutions that enable doing more with less.
4. Prioritize compliance issues; do not confuse compliance and security.
5. Data security, starting with encryption and access management, is an important part of the mix.
6. Invest in agility.

This report is based on a global IDC web-based survey, conducted in November 2018, of 1,200 executives with responsibility for or influence over IT and data security from nine countries and a range of industries, with a primary emphasis on financial services, retail, healthcare, and federal government. This paper focuses on the findings from the 100 U.S. financial services respondents.