Booz Allen’s Top 10 Financial Services Online Trends

Getting close to the end of the year, let the prognostication begin!  I hate trying to predict things.  Especially in the future.  So I will defer to a firm comprised of experts that have been in the business for years.

Booz Allen Hamilton cites increased online threats to senior executives, the impact of organized crime, and mobile device security as high among the Top 10 Financial Services Cyber Security Trends.  These threats tend to trickle down to every part of a financial services organization, and reputational and financial impacts can pose a huge risk to any organization.

Online security today is about living with and managing the risks within your networks.  It is more than just preventing security breaches and handling policy violations, it’s essential that all businesses know what online security threats loom on the horizon, and how information technology industry players are attempting to meet those concerns. 

Today’s business environment requires financial institutions in particular to be more creative in meeting the demands of their customers, shareholders, and regulators, but all businesses have a role to play in securing their data.  Attackers will aim their attacks at whatever link in the transaction chain has the least amount or weakest detective, protective or preventative controls in place.

The following list was developed from research by Booz Allen, with years of experience in financial services consulting:

Top 10 Financial Services Online Security Trends for 2012:

  1. Exponential growth of mobile devices drives an exponential growth in security risks.  Every new smart phone, tablet or other mobile device, creates another vulnerable network access point.
  2. Increased C-suite targeting.  Senior executives are no longer invisible online.  Assume that hackers already have a complete profile of the executive suite and staff members who have access to them.
  3. Social media contributes to personal online threats.  A profile or obscure comment on a social media platform by an executive, a relative, or a friend can aid hackers in building an information portfolio for use in future attacks.
  4. Your company is already infected.  You’ll have to learn to live with it – under control.  Security must remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection.  The focus of online security tactics must be to detect, contain, and remove threats within your systems.
  5. Everything physical can be digital.  Hand written notes, printouts, report binders, even PC screens can be copied in digital format and scanned for details that will allow a hacktivist-type of security violation, and increasingly this will be a problem.
  6. More firms will use cloud computing.  The cost savings and efficiencies promised by cloud computing are pushing companies to migrate.  Effectively managing the risks of cloud computing will require up front planning and organized security efforts.
  7. Global systemic risk will include “cyber” risk.  As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected.  A security breach at one firm can create negative ripple effects that greatly impact financial markets.
  8. Zero-day malware and organized attacks continue to increase.  The tools of online criminals adapt and change constantly, challenging the latest defenses to keep pace.  Firms need to be prepared to adapt quickly to malware, tactics of organized crime, and to local and foreign adversaries.
  9. Insider threats are real.  The accidental insider breach will continue to be the primary source of compromise.  Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
  10. Regulatory scrutiny will increase.  The Securities and Exchange Commission introduced guidelines that require companies to report incidents that will or could result in informaiton theft or a risk of compromised data considered material.  Expect this to take a more defined and restrictive flavor.

More information on these trends is available here.