In the past few years the finance industry has come a long way in terms of understanding the kind of cyber-threats it faces. Phishing, ransomware and DDoS have all, unfortunately, become familiar terms to everyone; from the boardroom to front-line staff in high street banks. But when it actually comes to tackling these cyber-threats, much of what the security team says can be lost in translation. An employee opening an unidentified email attachment claiming to contain financial analysis would likely make the IT department jump to ‘red alert’. But others in the business wouldn’t bat an eyelid, until the ransomware pops up on their screen with a demand for some serious bitcoin.
As Yahoo!’s recent woes and the hefty fine slapped on TalkTalk show, it is much easier to raise awareness of the risks if they are defined in a way that people understand. A £400,000 fine, or the potential derailment of a major buyout deal, is far more impactful than a general reference to non-compliant activities or a data breach. It is also clear that the magnitude of the impact of breaches is catapulting cybersecurity right up the business risk register. There is still much work to do, however. Research by the Ponemon Institute found disconnects between the board and IT security professionals. While board members are very aware of cybersecurity, they lack an understanding of the issues, which limits their ability to evaluate situations and respond appropriately. This must be rectified before cyber-threats can be tackled effectively through combined business efforts. After all, the simplest way to educate an organisation about cyber threats is also the hardest; by falling victim to an attack.
Clarity is key
Everyone in the financial sector is used to using terms that the general public wouldn’t necessarily understand. As such they should be all too aware of the challenges language brings when talking to an audience that isn’t privy to it. Unlike accepted finance terms, one of the core challenges in bridging this communication gap is that cyber-threats mean different things to different people and invariably have different impacts on the various elements of the business.
The implications of specific threats or non-compliant activities can be unclear to senior managers and CXOs, whose objectives of business deliverables and the bottom line are more to the fore. As a result, if the link between a cyber-threat and its ramifications are not clear, the risks to the wider business are lost. If this is to change, IT departments need to translate cyber-threats into business risks; presenting each part of the business with information in the appropriate lexicon. This means telling them not what the threat is, but rather what assets are at risk and how their business activities could be impacted; and what the consequences will be if the worst happens.
For example, if an employee at a bank is told that the way they store customer data might not be GDPR compliant, they probably won’t be overly concerned. If, however, you explain that the business will be faced with a fine of up to 2% of global turnover if they don’t correct the issue, there is a strong likelihood you’ve found a new data management disciple keen to spread the word. Similarly, the CXO may not be too concerned about malware on an internal server as it is a single point of resolution; however if this means that visitors to the website could have their PC infected and held to ransom by cybercriminals, they’ll quickly realise the enormous reputational risk at stake and reprioritise fixing the problem!
Becoming fluent in risk
It is not just the risk of cyber-threats being lost in translation that financial organisations need to address: they must also become more collaborative in security and compliance processes. The periodic tick box mentality, in a manner often reserved for assessor and applicant, serves a purpose but doesn’t help with the more dynamic nature of cyber threats.
Security and compliance management need to become a continuous process, with an in-built quality improvement element. They need to maintain real-time threat information that shows each part of the business the live security and compliance status of key systems and processes. This enables the instant identification of any security or compliance problems and allows them to be dealt with before they become a threat.
Given the importance of compliance within the sector it could also further ease the burden on ensuring everything is up to standard. Becoming fluent in the language of business risk will mean that information is presented in a common and meaningful lexicon across the business, making its importance clear instead of just another meaningless message in another language.
At the end of the day, cybersecurity is not only for the IT department to deal with. It is a business-critical issue, with ramifications for everyone from the CXO to the directors and the customers they serve. The only way for financial institutions to tackle threats effectively is to involve everyone in the business, so they understand the risks and have an ability to evaluate situations and respond appropriately. This means continuous security and compliance monitoring to protect customers and stakeholder value. It also means familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through continuous “testing and adjusting” of policy and compliance settings. Not only will this collaborative approach decrease the risk that a business will be hit by a damaging breach or a costly fine, but it also reduces the risk of cyber threats to the business being lost in translation.