Financial services organizations are some of the most highly protected institutions in the nation, but, at the same time, are under constant attack. As a result, financial institutions have to be prepared to handle any security disaster.
Earlier this year, I joined G. Mark Hardy from SANS, Ed Dembowski from FireEye and Scott Gordon from ForeScout to discuss the results of a SANS survey on, "risk, loss and security spending in financial institutions."
The survey featured 239 respondents from varying business levels and was conducted from January through February of 2014. The security incidents that ranked in the top three included internal employee misuse (43 percent), spearfishing emails (43 percent) and malware or botnet infections (42 percent)*.
Despite organizations’ best efforts one thing is for sure: breaches are going to happen. The disturbing fact about these statistics is that two of the top three causes were the result of employee behavior; something organizations believe they should be able to control.
One of the major problems with security breaches is figuring out just how bad they really are. Only 21 percent of those surveyed could quantify losses while 50 percent could not and 29 percent didn’t know if they could. This can make it hard to receive future funding for proper security measures.
Risk for organizations concerning these breaches comes from many sides including reputation, legal, regulatory and financial. A security breach could open your company to civil and/or criminal litigation as well as increased regulatory scrutiny and fines. Your organization’s stock could also be devalued and damage done to your image and stockholder confidence.
What do I do?
Decide which security framework is right for you (PCI DSS, COBIT, NIST, FISMA, etc.). While complying with security frameworks is a good start, compliance does not equal security. Additional measures should be taken in order to keep your company safe.
If you are legally or contractually bound to report a breach then you should do it. However, keep in mind the aforementioned risks and convey those risks to your executives, as they are the ones who need to make the final decision.
* Percentages do not add up to 100 percent because respondents were allowed to select multiple answers.