Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

Piers Wilson

Head of Product Management at Huntsman Security

Views 662

Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

01.12.2016 09:45 am

In the past few years the finance industry has come a long way in terms of understanding the kind of cyber-threats it faces. Phishing, ransomware and DDoS have all, unfortunately, become familiar terms to everyone; from the boardroom to front-line staff in high street banks. But when it actually comes to tackling these cyber-threats, much of what the security team says can be lost in translation. An employee opening an unidentified email attachment claiming to contain financial analysis would likely make the IT department jump to ‘red alert’. But others in the business wouldn’t bat an eyelid, until the ransomware pops up on their screen with a demand for some serious bitcoin.

As Yahoo!’s recent woes and the hefty fine slapped on TalkTalk show, it is much easier to raise awareness of the risks if they are defined in a way that people understand. A £400,000 fine, or the potential derailment of a major buyout deal, is far more impactful than a general reference to non-compliant activities or a data breach. It is also clear that the magnitude of the impact of breaches is catapulting cybersecurity right up the business risk register. There is still much work to do, however. Research by the Ponemon Institute found disconnects between the board and IT security professionals. While board members are very aware of cybersecurity, they lack an understanding of the issues, which limits their ability to evaluate situations and respond appropriately. This must be rectified before cyber-threats can be tackled effectively through combined business efforts. After all, the simplest way to educate an organisation about cyber threats is also the hardest; by falling victim to an attack.

Clarity is key

Everyone in the financial sector is used to using terms that the general public wouldn’t necessarily understand. As such they should be all too aware of the challenges language brings when talking to an audience that isn’t privy to it. Unlike accepted finance terms, one of the core challenges in bridging this communication gap is that cyber-threats mean different things to different people and invariably have different impacts on the various  elements of the business.

The implications of specific threats or non-compliant activities can be unclear to senior managers and CXOs, whose objectives of business deliverables and the bottom line are more to the fore. As a result, if the link between a cyber-threat and its ramifications are not clear, the risks to the wider business are lost. If this is to change, IT departments need to translate cyber-threats into business risks; presenting each part of the business with information in the appropriate lexicon. This means telling them not what the threat is, but rather what assets are at risk and how their business activities could be impacted; and what the consequences will be if the worst happens.

For example, if an employee at a bank is told that the way they store customer data might not be GDPR compliant, they probably won’t be overly concerned. If, however, you explain that the business will be faced with a fine of up to 2% of global turnover if they don’t correct the issue, there is a strong likelihood you’ve found a new data management disciple keen to spread the word. Similarly, the CXO may not be too concerned about malware on an internal server as it is a single point of resolution; however if this means that visitors to the website could have their PC infected and held to ransom by cybercriminals, they’ll quickly realise the enormous reputational risk at stake and reprioritise fixing the problem!

Becoming fluent in risk

It is not just the risk of cyber-threats being lost in translation that financial organisations need to address: they must also become more collaborative in security and compliance processes. The periodic tick box mentality, in a manner often reserved for assessor and applicant, serves a purpose but doesn’t help with the more dynamic nature of cyber threats.

Security and compliance management need to become a continuous process, with an in-built quality improvement element. They need to maintain real-time threat information that shows each part of the business the live security and compliance status of key systems and processes. This enables the instant identification of any security or compliance problems and allows them to be dealt with before they become a threat.

Given the importance of compliance within the sector it could also further ease the burden on ensuring everything is up to standard. Becoming fluent in the language of business risk will mean that information is presented in a common and meaningful lexicon across the business, making its importance clear instead of just another meaningless message in another language.

At the end of the day, cybersecurity is not only for the IT department to deal with. It is a business-critical issue, with ramifications for everyone from the CXO to the directors and the customers they serve. The only way for financial institutions to tackle threats effectively is to involve everyone in the business, so they understand the risks and have an ability to evaluate situations and respond appropriately. This means continuous security and compliance monitoring to protect customers and stakeholder value. It also means familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through continuous “testing and adjusting” of policy and compliance settings. Not only will this collaborative approach decrease the risk that a business will be hit by a damaging breach or a costly fine, but it also reduces the risk of cyber threats to the business being lost in translation.

Latest blogs

Danny Scott CoinCorner

Bitcoin: An Explosive 2020?

“By now, a lot of people have heard of Bitcoin. It’s been running consistently for just over 11 years and has enjoyed it’s fair share of positive and negative media attention. Many eyes have been on Bitcoin since the bull run of 2017, with people Read more »

Bernard Foot MYHSM

Use of cash after COVID-19

Recently, I looked at the question of whether using cash presented more of a COVID-19 health risk than using contactless. There was no convincing evidence either way, but it’s clear that there’s a sentiment against handling cash and Read more »

Shaun Collings Pure Storage

Change Starts from Within: Overcoming Digital Transformation Barriers in the Public Sector

Across the public sector there are various forms of digital transformation taking place, at different stages of progress.  Part of the driver for this is that citizens now expect a level of service akin to what they receive from private Read more »

Jonas Andersson Fingerprints

In Consumer Biometrics We Trust: Authentication For the Data Privacy Age

Data privacy is high on the global agenda. In the wake of data protection policies such as Europe’s GDPR, ensuring the integrity of personal data is an increasingly pertinent subject. This is a governmental and corporate policy reflection of the Read more »

John Burgos Mindgate Solutions

Overcoming anxiety around mobile payments & digital payments - In the South Asia Pacific

Innovation and technology usually go hand in hand.  Therefore, for innovation to be fully realized, the technology that enables the innovation must be adopted as well.  During the last 5 years, we have had innovations from Google, Apple, Read more »

Related Blogs

Simon Viney BAE Systems Applied Intelligence

The Retro Fraudster: How to Spot the Old-school Tactics Making a Comeback

As technological innovation drives new opportunities for fraudsters, digital security counter-measures could inadvertently be encouraging a resurgence of old-school tactics. These criminals know that today’s customers are wise to some of the more Read more »

Jay Ablian Fiserv

Despite Mixed Messages from Consumers, Businesses Shouldn’t Slow Cybersecurity Efforts

Many businesses have increased their investments in cybersecurity and data protection in recent years and, in many ways, it has paid off. Consumers have seen a 25 percent decrease in debit and credit card compromises since 2017, according to a Read more »

n/a n/a

Cryptocurrency And Cybersecurity For Your Business

While there is hardly any denying that cryptocurrencies such as Bitcoin are quite important for businesses as it enhances customer convenience in terms of payments among other benefits, although, many businesses find themselves confronted with Read more »

Jorge M. Taboada buguroo

Buguroo’s Three Fraud Predictions For 2020

As banks strive to make online banking even easier and payments even faster for their customers, they also face a race against the clock to keep their security up-to-date and compliant. Here are three fraud trends we expect to see move up the Read more »

Jorge M. Taboada buguroo

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Trend Micro researchers Ecular Xu and Joseph C Chen recently discovered three malicious applications in Google Play. They are not the first malicious Google Play apps to be found. In the past, others have been detected that were designed primarily  Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel