Cyber-Threat and Regulation Priorities for CISOs

With data regulation changes on the horizon and large scale cyber-attacks on the rise, CISOs are facing a number of challenges when it comes to ensuring their businesses are both well-protected from cyber-threats, as well as compliant with new data laws.

It’s no surprise, then, that information security experts can sometimes struggle to persuade their businesses to fund a range of information security measures, and instead must prioritize where they invest. Each year, Network Group Events polled 60 CISOs from Europe’s top financial institutions at the Financial Services Information Security Network about their biggest priorities for the year ahead. Here we detail some of the key areas of investment that are the current focus for these CISOs.

The third-party threat

One of the current challenges for many CISOs lies not in preventing the threat from cyber within an organization, but rather the organization’s vulnerability through third-party relationships. Financial Services firms might have invested over the years into fool-proofing their own systems, processes and applications, but third party vendors such as cloud providers can be an easy route for hackers to access company data.

In fact, PWC’s Third Party Risk Management Survey found that two out of every five firms had not even taken the most basic measures to meet regulatory guidelines around managing third party risks. Earlier this month, the Association of British Travel Agents suffered a cyber-attack that was traced through a third-party web developer and hosting company used by the organization, leaving the personal data of 43,000 people at risk.

Financial Services firms are finally coming around to the idea that large institutions are at risk through their third-party relationships, and data from Network Group Events has shown that CISOs are prioritizing this threat. 61% of CISOs in our survey saw third-party risk management as their information security priority.

A high profile for DDoS

A spate of recent high profile cyber-attacks involving Distributed Denial of Service (DDoS), is also leading to businesses rethinking their network security strategies. Recent attacks such as Tesco Bank and the targeting of Lloyds Banking Group have put the threat of DDoS firmly on the agenda of many CISOs in the financial services sector. More than a third (37%) of CISOs told Network Group Events that they were specifically prioritizing DDOS protection measures.

Whilst DDoS attacks might be focused on disrupting a business services by, for example, closing access to a company website, increasingly these attacks are becoming more complicated. Rather than a simple DDoS attack, cyber-criminals are now employing a variety of measures alongside the typical denial of service that interrupts online platforms, including accessing personal customer data.

It’s in this vein that CISOs are also placing preparation for the impending EU General Data Protection Regulation (GDPR) as a key priority. Not only are businesses having to update their existing systems, but once GDPR comes into effect next year, they must also publicly document any cyber-breach and to what extent it has effected the organization and face fines of up £20 million or 4% of the business’s global revenue.

More than half (57%) of the CISOs we surveyed at the Financial Services Information Security Network saw data loss and data theft prevention as their main focus, whilst a third highlighted cloud security as their priority and 40% the encryption of data. 50% of CISOs also planned to invest in security governance and reporting.

Raising awareness

Finally, we are also seeing users stand out as a top challenge for CISOs. Investing in cybersecurity measures and systems for data loss protection is of course important, but in many cases the cyber criminals are gaining access through devices that are infected by employee malpractice.

From our work at the Financial Services Information Security Network, we found that CISOs are increasingly seeing security awareness, educating employees about the cyber threat, as the most important security task for financial services firms.

We found that 62% of information security experts told Network Group Events that security awareness management was an investment priority, whilst 35% also saw behavioral analytics as a key responsibility. From malicious code infecting a work phone, to ransomware or even an internal security threat, even the most watertight firms can be at risk from a cyber-attack if they don’t raise awareness about information security best practice with their employees.

As the financial services industry continues to move towards a digital future, from retail banking apps to robo-advice, the threat from cyber will only continue to grow. Whether it’s DDoS, education or the impending GDPR regulation, our research shows that though CISOs have a considerable task ahead, they have clearly prioritized the key areas of focus to ensure their businesses are both compliant with a changing regulatory environment and protected from the evolving cyber-threat.

What’s Hot on Infosecurity Magazine?