Banks are ramping up cybersecurity spend – here’s why

Unsurprisingly, the world's most-targeted industry is also its most prepared.
11 August 2020

Barclays’ CEO suggested it would be unlikely for the entire workforce to return to offices. Source: Shutterstock

  • The banking sector is the most targeted by cyberattacks, but also one of the most secure
  • Financial services industry has embraced remote working, now the workforce must be protected
  • The breach of CapitalOne and $80M fine has been a warning to all

A decade or so ago, it would have been unthinkable that banks could close their branches and back-offices, and continue to serve their customers seamlessly.

But financial services businesses, like many others today, are largely businesses in the cloud. The demands of the pandemic have proven that this industry can thrive without the physical tether of a workplace if the IT setup is controlled, streamlined and fortified. That’s why banks have now significantly ramped up their spend to protect remote workforces, many of which likely won’t be returning to a physical workplace for many months, if at all.

According to a survey by Deloitte and Touche LLP, and the industry group Financial Services Information Sharing and Analysis Center (FS-ISAC), the average spending per employee was budgeted at US$2,691 this year, up from US$2,337 in 2019. 

Some firms have budgeted as much as US$3,322 per employee, whereas US$3,000 stood as the maximum spend last year. 

The sums aren’t particularly mind-blowing at first glance, but as Bloomberg notes, they would translate to US$850 million annually for JMorgan Chase, and nearly US$900 million for Wells Fargo. 

The world’s largest banks shifted large chunks of their operations to remote working models this year, the many are still yet to return to offices given the sheer size of the challenge in safeguarding the health of employees. 

Some 70% of workers in the finance and financial services industry have been doing their jobs remotely as a result of the outbreak, according to SurveyMonkey data. Many workers are reporting wanting to work from home permanently, while the head of UK bank Barclays stated that the “notion of putting 7,000 people into a building” each day may well be a thing of the past, with 70,000 of the bank’s employees successfully working remotely. 

Under attack all times

Shifting entire organizations – regardless of the sector they operate in – into fully remote-working operations will expose new vulnerabilities. But the banking sector, perhaps unsurprisingly, is invariably the most-targeted industry by cybercriminals; banks offer multiple avenues for profit through extortion, theft, and fraud. Comprising information such as date of birth and address, customer data is simply more valuable here. 

In a year that’s already bore witness to the ongoing severity and sophistication of ransomware attacks, cybersecurity is rocketing further to the fore as a key industry priority. The results of not doing so have been hung out in sight, with the recently prescribed US$80 million fine of CapitalOne for stemming from a risk assessment oversight ahead of an AWS cloud migration. 

The breach affected 100 million individuals in the United States and approximately 6 million in Canada, and allowed the hacker to make away with about 140,000 Social Security numbers and about 80,000 linked bank account numbers of CapitalOne’s credit card customers.

The penalties haven’t only been financial, the brand has suffered severe reputation damage as a result of the breach too.

Particularly as more services and customers go online, there is mounting urgency for banks to bolster their cybersecurity. Last year, the Financial Conduct Authority (FCA) in the UK identified an increase of 1000% in cyberattacks between 2017 and 2018. The financial services industry attracted more than a quarter of global malware attacks. 

Given that in the UK alone, £671 million (US$878 million) was lost to card fraud last year, the extra costs of cybersecurity offer a prudent investment. 

Ready and resilient

Because of the weight of responsibility on their shoulders and the level of risk facing them, cybersecurity among members of the banking sector is some of the most advanced and innovative. Many, therefore, have been remarkably quick to adapt to the changing demands of remote working.  

Leaders have had to address training gaps and call on workers to maintain digital hygiene, entrusting them to patch their own computers and update mobile software. McKinsey reports a large bank adjusting its security policies, including running more frequent and tailored awareness campaigns, resulting in a 95% improvement in employee click rates during monthly anti-phishing tests. 

Other measures have comprised restricting the use of USB devices, while shifting contact centers into the cloud has meant adopting specialized, secure remote hardware. 

Another unnamed large bank conducted threat modeling on both its new collaboration tools and unauthorized tools introduced by employees during the remote working shift. Other measures have been customer-focused, such as expanding biometrics and device-based authentication for sensitive transactions on new, digital channels. 

Banks are also investing in advanced, AI-powered security tools for things like fraud prevention; models which have been instrumental from early on among fintech challengers like Revolut, which developed its own AI fraud detection tool, Sherlock

While distributing an entire bank to the various living rooms, kitchens and home offices of employees may certainly not sound like the safest move for the world’s most targeted industry, these challenges are only further magnifying the sector’s focus on cybersecurity, making them more resilient in the longer term. In that respect, a few hundred dollars per employee is a worthy investment.