November 26, 2014 By Douglas Bonderud 2 min read

Last week, PricewaterhouseCoopers (PwC) released a preview of its Global State of Information Security Survey (GSISS) 2015, which revealed that financial service companies plan to spend more — much more — on cybersecurity over the next two years. The full report is now available for download, and it’s time to take a closer look at the findings.

The Big Picture

Pulling back the lens, PwC found that cybersecurity “is no longer an issue that concerns only information technology and security professionals; the impact has extended to the C-suite and boardroom.” Financial cybercrime targets now extend beyond banks and credit unions, with the survey noting that more than half of stock exchanges worldwide have been victimized. In fact, the threat is so dire that the U.S. Securities and Exchange Commission plans to evaluate the cybersecurity preparedness of more than 50 large broker-dealers and investment advisers. Meanwhile, Asian companies that do not comply with Singapore’s Personal Data Protection Act are subject to fines of over $780,000.

Key Findings

Digging into the PwC data on financial service companies, it is clear that risks are on the rise. The survey, which asked 758 financial institutions about the number of detected security incidents, reported that the total number of adverse incidents that threaten “some aspect of computer security” rose 8 percent compared to 2013. The costs of these breaches also grew by 24 percent, with big losses leading the way. The number of firms reporting losses between $10 million and $19.9 million increased by 141 percent compared to last year.

However, the survey also found that cybersecurity spending hasn’t kept pace. While PwC’s 2014 Annual CEO Survey noted that 48 percent of CEOs worldwide are now concerned with cyberthreats, the new report discovered global information security budgets have stalled for the past five years. Overall, the GSISS found that as security incidents rise, spending tends to fall; one theory is that more targeted security practices have “enabled organizations to strategically optimize spending.” The idea here is to replace scattershot security measures with strategic investments “that are most relevant to today’s advanced attacks,” including tools that predict, prevent and detect attacks to minimize overall impact.

The Bottom Line for Financial Service Companies

For financial service companies, however, more spending remains an integral part of the security equation. As noted by a recent IP Watch article, pure spending is just one part of an effective defense. To combat advanced security threats, companies also require buy-in from top leadership, policies for handling sensitive information and input from all business divisions.

PwC found that 71 percent of financial services respondents said incident-management response processes were important components of any cybersecurity strategy. Meanwhile, 69 percent said classifying business value data was essential, and 59 percent wanted better risk assessments on internal systems.

Ultimately, PwC recommends that financial service companies — from stock markets to big banks and small investment firms — focus on linking security and risk. This means companies should ask themselves the following five questions:

  1. How much revenue would be lost in a cyberattack?
  2. Are there capabilities in place to deal with this kind of attack?
  3. Have critical assets been identified?
  4. Is the business resilient enough to handle an attack?
  5. Where do cybersecurity investments have the biggest impact?

While it is impossible to prevent every cyberattack, PwC found that businesses with better-than-average security awareness report significantly lower average costs. For financial service companies, this awareness comes from a combination of increased spending, intelligent investments and the evolution of cybersecurity best practices.

Image Source: Wikimedia Commons

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today