Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

Piers Wilson

Head of Product Management at Huntsman Security

Views 728

Translator Needed: Why Speaking About Business Risks Will Help Tackle Cybersecurity in the Finance Industry

01.12.2016 09:45 am

In the past few years the finance industry has come a long way in terms of understanding the kind of cyber-threats it faces. Phishing, ransomware and DDoS have all, unfortunately, become familiar terms to everyone; from the boardroom to front-line staff in high street banks. But when it actually comes to tackling these cyber-threats, much of what the security team says can be lost in translation. An employee opening an unidentified email attachment claiming to contain financial analysis would likely make the IT department jump to ‘red alert’. But others in the business wouldn’t bat an eyelid, until the ransomware pops up on their screen with a demand for some serious bitcoin.

As Yahoo!’s recent woes and the hefty fine slapped on TalkTalk show, it is much easier to raise awareness of the risks if they are defined in a way that people understand. A £400,000 fine, or the potential derailment of a major buyout deal, is far more impactful than a general reference to non-compliant activities or a data breach. It is also clear that the magnitude of the impact of breaches is catapulting cybersecurity right up the business risk register. There is still much work to do, however. Research by the Ponemon Institute found disconnects between the board and IT security professionals. While board members are very aware of cybersecurity, they lack an understanding of the issues, which limits their ability to evaluate situations and respond appropriately. This must be rectified before cyber-threats can be tackled effectively through combined business efforts. After all, the simplest way to educate an organisation about cyber threats is also the hardest; by falling victim to an attack.

Clarity is key

Everyone in the financial sector is used to using terms that the general public wouldn’t necessarily understand. As such they should be all too aware of the challenges language brings when talking to an audience that isn’t privy to it. Unlike accepted finance terms, one of the core challenges in bridging this communication gap is that cyber-threats mean different things to different people and invariably have different impacts on the various  elements of the business.

The implications of specific threats or non-compliant activities can be unclear to senior managers and CXOs, whose objectives of business deliverables and the bottom line are more to the fore. As a result, if the link between a cyber-threat and its ramifications are not clear, the risks to the wider business are lost. If this is to change, IT departments need to translate cyber-threats into business risks; presenting each part of the business with information in the appropriate lexicon. This means telling them not what the threat is, but rather what assets are at risk and how their business activities could be impacted; and what the consequences will be if the worst happens.

For example, if an employee at a bank is told that the way they store customer data might not be GDPR compliant, they probably won’t be overly concerned. If, however, you explain that the business will be faced with a fine of up to 2% of global turnover if they don’t correct the issue, there is a strong likelihood you’ve found a new data management disciple keen to spread the word. Similarly, the CXO may not be too concerned about malware on an internal server as it is a single point of resolution; however if this means that visitors to the website could have their PC infected and held to ransom by cybercriminals, they’ll quickly realise the enormous reputational risk at stake and reprioritise fixing the problem!

Becoming fluent in risk

It is not just the risk of cyber-threats being lost in translation that financial organisations need to address: they must also become more collaborative in security and compliance processes. The periodic tick box mentality, in a manner often reserved for assessor and applicant, serves a purpose but doesn’t help with the more dynamic nature of cyber threats.

Security and compliance management need to become a continuous process, with an in-built quality improvement element. They need to maintain real-time threat information that shows each part of the business the live security and compliance status of key systems and processes. This enables the instant identification of any security or compliance problems and allows them to be dealt with before they become a threat.

Given the importance of compliance within the sector it could also further ease the burden on ensuring everything is up to standard. Becoming fluent in the language of business risk will mean that information is presented in a common and meaningful lexicon across the business, making its importance clear instead of just another meaningless message in another language.

At the end of the day, cybersecurity is not only for the IT department to deal with. It is a business-critical issue, with ramifications for everyone from the CXO to the directors and the customers they serve. The only way for financial institutions to tackle threats effectively is to involve everyone in the business, so they understand the risks and have an ability to evaluate situations and respond appropriately. This means continuous security and compliance monitoring to protect customers and stakeholder value. It also means familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through continuous “testing and adjusting” of policy and compliance settings. Not only will this collaborative approach decrease the risk that a business will be hit by a damaging breach or a costly fine, but it also reduces the risk of cyber threats to the business being lost in translation.

Latest blogs

Keith McGill Equifax UK

Fraud Continues to Rise, but Faster Digitisation Will Bring Benefits

The results of the Cifas report show the changing face of fraud and identity theft across the UK. With a 13% rise in reports to the National Fraud Database from 2018, it’s clear that even before the pandemic struck there were a number of challenges Read more »

Darren Capehorn Icon Solutions

Unbanked and Unconnected: Supporting Financial Inclusion Beyond Digital

Many of us take it for granted, but accessing basic financial services is fundamental to our economic and social development. It is hard to ‘get on’ if you are forced to hide life savings under the mattress, or rely on predatory loan sharks for Read more »

Konstantin Demishev Archer Software

How Machine Learning Helps Fintech Companies Detect Fraud

Machine learning (ML) is one of the most discussed technological tools, and if in the past only a few companies could use it due to high cost and lack of resources, today many industries use ML. The financial sector is not an exception and embraces Read more »

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Related Blogs

Dmytro Volkov CEX.IO

Security Basics: 5 Signs of Phishing

A recent WatchGuard Technologies survey showed that 86% of UK companies expect an increase in cyberattacks in the next 12 months. One big threat in particular is phishing attacks linked to COVID-19, which have recently been gaining popularity among Read more »

Fraser King Vodafone Business

Protecting the End-user at All Costs: How to Stop Cyber Fraud on Mobile

In an age of large-scale data breaches and advanced social engineering tactics, it’s clear that the fight against cybercrime never stops. This has only been amplified by the coronavirus pandemic, which has provided fertile ground for cybercriminals Read more »

Tom Kellermann VMware Carbon Black

Modern Bank Heist: from smash and grab to hostage situation as cyberthieves evolve

The financial sector is historically one of the most secure industries in the world. It needs to earn trust and convince customers that their hard-earned money is safe. Nevertheless, the fact that banks are guardians of the one thing cyber criminals Read more »

Mikkel Stegmann Fingerprints

Convenience + Security: The Maths of Multi-Modal Authentication

For today’s efficiency-loving consumers, convenience is more important than ever. When it comes to unlocking our smartphones, for example, the hassle of having to remember PINs and passwords has been long discarded in favour of quick and easy Read more »

James Richardson Bottomline Technologies

Payment Protection for the Modern Age

Modern cybersecurity professionals have succumbed to an arms race with criminals as corporate defence spends balloon, attempting to keep pace with ever-evolving infiltration and extraction techniques. As expenses grow, dangers continue to mount. In Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel