Shifting Sands in the Payments Space
Digital payments are expected to hit $726 billion by 20201. This surge in transactions puts payment systems squarely in the crosshairs of cyber attackers. Companies like Google, Apple, and Amazon, as well as new technologies like blockchain payments, Zelle, and Venmo are putting the pressure on traditional providers to deliver new mobile, real-time payment services. This opens the door for new kinds of vulnerabilities and fraud to bring down these systems.
A recent survey by the Association for Financial Professionals (AFP), underwritten by J.P. Morgan, reveals that payments fraud surpassed the 2017 levels. “It is alarming that the rate of payments fraud has reached a record high despite repeated warnings,” said AFP President and CEO Jim Kaitz. “In addition to being extremely vigilant, treasury and finance professionals will need to anticipate scams and be prepared to deter these attacks.”2
The financial and reputational damage from a system breach can be extremely costly. Share prices of impacted companies drop an average of 5% the day a cyber event was disclosed and over 30% of customers affected by the breach discontinue their relationship with that organization3.
Regulators and Industry Groups Respond
To counter these potentially catastrophic events, a growing number of regulators and industry groups have upped the ante on their efforts to bolster cybersecurity standards and respond to these emerging risks. Industry initiatives such as the Financial Systemic Analysis & Resilience Center (FSARC) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) Cyber-Attack Against Payment Systems are all centered around improving the security posture of firms within the payments space.
But the Cyber Attackers in the Payment Space Get Savvier
Still, the last two years saw 45% of financial services institutions experience data breaches. The severity and volume of cyberattacks continues to increase, according to a global cybersecurity study of 467 financial institutions conducted by the Ponemon Institute in partnership with ServiceNow. Denial of Service (DoS) attacks, social engineering and phishing, malicious banking apps, and other malware are compromising payment techniques and resulting in fraudulent payments.
Payment firms are struggling to respond. In fact, 47% of financial institutions surveyed said they were breached by a vulnerability even though a patch for it was already available.
What Separates Those That Avoid Breaches from Their Peers
However, the Ponemon Institute’s survey found hope in the darkness: Although hackers continue to use better and more effective techniques, financial institutions can dramatically reduce breach risk with just a few steps.
In the survey, financial institutions that successfully avoided breaches had two key strengths. They rated their ability to patch vulnerabilities in a timely manner 31% higher than breached organizations, and their ability to detect vulnerabilities was 22% higher. Patching is the most significant characteristic of firms that were not breached in the last two years.
However, organizations struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. These findings highlight a major issue in effective and timely vulnerability response. In financial services, as in so many other industries, the ability to rapidly detect and respond to vulnerabilities matters.
The Patching Paradox
A “patching paradox” exists within financial institutions: hiring more people alone does not equal better security. Adding more people to broken processes will not scale or make a financial institution more secure. This problem is compounded by the current cybersecurity talent shortage. While security teams plan to hire more employees and contractors for vulnerability response, they can’t improve their security posture if they don’t fix broken patching processes first.
Payment firms can significantly reduce the risk of a breach by automating routine processes and taking care of basic hygiene items. This doesn’t necessarily mean automating everything related to vulnerabilities and patching end-to-end. Instead, think about creating structured vulnerability response processes for security teams that automate repetitive tasks. As any cybersecurity professional will tell you, repetitive tasks take up much of their workday; automation means faster patching and quicker elimination of vulnerabilities.
Prioritizing Patching – Who’s on First
One major discovery in the Ponemon study is the fact that many security teams underestimate how much time patching takes up. Security teams lost an average of 12 days per vulnerability by manually coordinating patching activities across teams, and 74% of respondents found it difficult to prioritize what needs to be patched first.
One Fortune 100 company employs full-time staff whose sole responsibility is managing the spreadsheets used by different teams for vulnerability management and response. This company is not alone as 61% of professionals surveyed said that manual processes put them at a disadvantage when patching vulnerabilities.
When already busy security teams lose nearly two weeks with each patch when manually coordinating patching activities, something is wrong.
Why Automation Matters
On average, respondents said they plan to hire about four people dedicated to vulnerability response, an increase of 50% over today’s staffing levels. But the global shortage of cybersecurity professionals will reach 2 million by 2019, according to ISACA, a global non-profit IT advocacy group. Demand for security professionals far outstrips supply resulting in organizations finding it extremely difficult to secure the resources they need in the future.
Even with an increase in staff, it won’t be enough to handle the flood of security threats payment firms will face, which include emerging AI-fueled threats that are likely to increase the volume, speed, and effectiveness of cyberattacks even further.
Not patching vulnerabilities in time is the overwhelming cause for these breaches. Vulnerability response across multiple teams exacerbates this struggle. It leads to long delays and causes vulnerabilities that slip through the cracks.
However, structuring and automating workflows gives a way out of this predicament. By paying attention to basic hygiene items, breaking down silos between tools, creating structured workflows for vulnerability response processes, and automating these workflows, it’s much easier for payment firms to prevent breaches and free up valuable resources for their security teams. Having a pragmatic roadmap with smart, strategic steps is within the grasp of these firms as they step up their fight against future security breaches.
- World Payments Report 2017 – https://www.worldpaymentsreport.com
- 2017 Cost of Data Breach Study: Global Overview