Are banks too confident in their cybersecurity practices?

Lack of Comprehensive Testing Could Be Creating Vulnerabilities

According to a survey conducted by Accenture, senior bank executives feel their cybersecurity is adequate. Of the 275 executives surveyed, 78 percent expressed confidence in their capabilities, with 51 percent claiming a high level of confidence for uncovering the cause of breaches. Fifty-one percent of respondents also claimed high confidence for measuring the impact of a breach, and 50 percent were confident in their bank’s ability to measure financial risks caused by a breach.

However, the survey also uncovered potential problems. Respondents reported an average of 85 serious attempts at cyber breaches, with 36 percent of these breaches successfully obtaining some information. In 59 percent of these breaches, it took banks several months to even realize that a breach occurred.

Compared to the global average, banks exhibit higher confidence in their cybersecurity capabilities because of:

“Bank executives are clearly confident when it comes to their cybersecurity capabilities, but there is still much work to be done,” said Chris Thompson, senior managing director and head of financial services cybersecurity and resilience, Accenture Security.

“Most cybersecurity assessment programs, while well-intentioned, are highly theoretical and based on known cyberattack practices. The reality, however, is very different. Fast-moving, dynamic threats are creating new challenges every day. Banks should focus on deploying practical testing scenarios that focus inside the perimeter to ultimately make the crooks’ job as difficult as possible.”

Internal breaches were cited by 48 percent of respondents as the most dangerous type of cyber attack, and 52 percent expressed low confidence in their bank’s internal tools for detecting breaches. Further concern comes from a perceived shortage of skilled workers. Fifty-three percent of respondents anticipate a skill shortage for managing vulnerabilities, and 53 percent also see a skill shortage for responding to incidents. Overall, 61 percent of the executives worry about skills related to network and end-point management.

In their analysis, Accenture pointed to a mismatch between executives’ confidence and their banks’ testing protocols. Although banks have consistently invested in more robust mainline defenses against cyberattacks, these strategies can fall short in the face of today’s rapidly evolving online threats. Internal testing generally relies on theoretical analysis instead of regular and thorough practical testing.

Download the full report