A risk not worth taking: How the financial sector can fight cybercrime

With the more recent shift to remote working during the height of the COVID-19 pandemic, the rapid rise of online and mobile banking services saw banks and fintech firms being entrusted with an unprecedented amount of highly sensitive personal customer data.

The rush to transform in the past two years has left many organisations dangerously exposed to data threats, such as ransomware. When businesses introduce new solutions to their technology stack, protection capabilities need to be extended to cover the change. However, faced with a global pandemic that no one could’ve seen coming, businesses needed to innovate fast, and their security measures struggled to keep pace.

This created a ‘vulnerability lag’, where systems and data have been left unprotected and open to attack. However, this year, organisations need to prioritise redressing the balance between innovation and security to ensure they protect themselves from increasingly sophisticated cybercriminals.

Confronting the danger of cybercrime

Cybercrime is set to cost the global economy $10.5tn annually by 2025. Industry research reveals that, in the UAE, the average cost of remediating a ransomware attack is over $500,000. This cost doesn’t take into account the potential regulatory penalties for data breaches, the cost of downtime, or the cost of losing valuable data that may be irretrievable despite paying ransoms. All things considered, the financial cost of failing to protect your data could be crippling.

The cost of an attack often goes far beyond the monetary value a company will pay out in potential ransom payments and penalties for regulatory non-compliance. Trust is the biggest loss a company could ever face – when customers lose their trust in an organisation to secure and protect their data, it’s very difficult to win it back, especially for an industry such as financial services.

Building an industry on collecting and using highly sensitive customer data is a double-edged sword – while financial services companies can take advantage of a vast pool of valuable customer data to offer personalised services and explore new revenue streams, if this data falls into the wrong hands, it could damage livelihoods beyond repair. This makes the industry a very attractive target for cybercriminals.

Many financial services organisations globally are not managing their data as well as they could be. According to our recent Veritas research, companies in the financial services space are more likely to be struggling to keep pace with their security than those from most other sectors, with nearly half (48 percent) stating that their data security is lagging behind their digital transformation deployments. The average across all industries is 39 percent.

Further, financial services organisations that want to eliminate their vulnerability lag within a year would need to spend, on average, an additional $2.61m and hire 29 new members of IT staff each. $2.61m is 5 percent more than the average required across all sectors, which may be disappointing news for IT leaders in the sector, given that they already typically spent 19 percent more than their peers on IT initiatives last year.

Surviving any kind of ransomware attack always starts with understanding your data – what it is, where it is and what it’s worth. Yet, most businesses lack clarity about the data they might need to protect, with the average UAE organisation admitting that 38 percent of their is “dark” – that is to say, they don’t know what it is – and a further 49 percent is Redundant, Obsolete or Trivial (ROT).

A glimmer of hope

The UAE government focuses on setting the gold standard for protecting personal data, recently enacted industry-specific regulations, such as the UAE Central Bank’s Financial Consumer Protection Regulatory Framework, present a significant opportunity for the financial services sector to reassess the security measures across their IT environments. 

While the pressures that rapid digital transformation put on IT departments weren’t unique to the financial services sector, its position as a highly-attractive target to hackers may have meant that the industry has felt them more acutely. With hackers beating at the door and limited resources to push them back, as well as tightening industry regulations, it can feel like the IT teams are between a rock and a hard place.

Astute IT leaders are partnering with data protection providers that can minimise the admin burden of data protection through simplified tools leveraging artificial intelligence (AI) and machine learning (ML). Taking this approach can help financial organisations accelerate their security rollouts and stop their protection infrastructure from lagging behind their digital transformation.

That’s not to say that AI will replace talent, far from it. Businesses now have an opportunity to direct their newly hired talent to focus on innovation projects, rather than on ‘catching up’. Modernising data protection can play a key role in freeing up skilled IT team members to work on transformation projects by allowing AI and ML to shoulder more of the burden of time-consuming manual processes. Ultimately, these processes can still be human-governed, with AI doing the leg work.

The questions I leave all businesses to ponder on are: what is your critical data and where does it sit? Do you have the ability to detect vulnerabilities early? Do you have full confidence in your recovery plans, and how fast can you recover your data at scale? If you can answer these questions, your security posture will be enhanced substantially.

Despite any company’s best efforts, ransomware attacks are a matter of ‘when’ rather than ‘if’, so knowing ‘when’ becomes absolutely critical. What distinguishes one victim from another is their ability to resist and bounce back.

Johnny Karam, Managing Director and Vice President of International Emerging region at Veritas Technologies