Security lags tech advances in financial services
By Marilyn de Villiers
While one would expect financial services companies to implement stringent security measures to protect their customers’ sensitive information, a new survey reveals that more than half have lost customer data in cyber attacks.
More than half of organisations in the financial services industry have experienced cyber attacks that not only resulted in system failure and downtime, but also in the theft of customer data, according to a recently released Synopsys survey.
It also found that few respondents have an established process for inventorying and managing open source code, exposing their organisations to significant risk from vulnerabilities in the open source components in their applications.
Commissioned by the Synopsys Cybersecurity Research Center, the survey involved more than 400 IT security practitioners in various financial services sectors, including banking, insurance, mortgage lending, and brokering. While most respondents (70%) were from organisations headquartered in the United States, a small number came from the Middle East and Africa.
The authors of the survey report, The State of Software Security in the Financial Services Industry, noted that technology is deeply embedded in every financial services business and new technologies are constantly being introduced, most notably increased automation for internal processes and development of new software to create a seamless customer experience in traditional, online and mobile banking.
Despite this, the survey found that most financial services organisations are struggling to secure the technologies they already use.
The financial services software supply chain was found to present a major risk. Although most financial organisations continue to develop their own software and systems, many were becoming increasingly reliant on third-party independent vendors.
Almost three quarters of the respondents admitted to being `gravely concerned’ about the possibility of security vulnerabilities introduced by third-party suppliers; less than half (43%) required third parties to adhere to specific cyber security requirements or to verify their security practices.
In addition, while the survey revealed that the most common factor that resulted in software vulnerabilities was vulnerability testing occurring too late in production, most financial services organisations only conducted vulnerability assessments after the software had been released. In fact, only 25% of respondents were confident that their organisations could detect security vulnerabilities in their financial software systems before release.
The use of unsecured software and technology was reported to have had a host of negative impacts on the respondents’ organisations, the most common of which was system failure and downtime, for example as a result of DDOS attacks (reported by 56% of respondents), followed by customers’ sensitive information being stolen (51%), and ransomware and other forms of extortion (38%). Also of concern was loss of customers (35%), loss of revenue (34%), theft of intellectual property (33%), and loss of customers’ trust (25%).
The survey also revealed that despite the growing utilisation of open source software and code, organisations often overlooked the associated security and licence risks, with many organisations not reviewing incoming third-party code or even code developed internally for potential security and legal issues.
“Clearly, cyber security is not keeping pace with technology advances in the financial services industry, and the issue will only worsen unless proactive steps are taken now. Our report illustrates the need for (financial services industry) organisations to focus more on cyber security, secure coding training, automated tools to find defects and security vulnerabilities in source code, and software composition analysis (SCA) tools to identify open source components introduced by internal development teams or external suppliers,” the authors concluded.