SAS: Banks Lack Ammo to Fight Cyber Threats

According to a recent study sponsored by SAS, banks lack the proper measures to fight the onslaught of cyber-attacks.

ORLANDO, Fla.–According to a recent study sponsored by SAS, a leading provider of business analytics software, banks lack the proper ammunition to combat the ongoing threat of cyber-crime.

Indeed, evolving security threats, technology limitations and simple lack of awareness make cyber-risk a daunting hurdle for today’s banks, the study showed. Sponsored by SAS, the recent survey by Longitude Research, Cyberrisk in Banking, cites lost customer trust as the most significant impact from cyber-attacks–nearly double that of monetary losses.

Ellen Joyner, SAS global marketing principal for SAS Security Intelligence, said “39 percent of respondents said loss of customer trust was the biggest impact to their organization or most significant impact of cyber-security attacks.”

SAS made the announcement at its Premier Business Leadership Series (PBLS) event here.

The SAS cyber-security study surveyed 250 respondents from retail and commercial banking primarily based in the Western Hemisphere, including North America (40 percent), Europe (21 percent) and Latin America (20 percent). Although cyber-security is a wide-ranging problem affecting multiple industries, financial institutions often lead the way by experiencing new threats and enhancing their cyber-security defenses. Nevertheless, just one in five of the executives polled for this study regards overall organizational preparedness for cyber-security risks as “high.” The weakest link reported within banks was a lack of dedicated internal resources–only 24 percent feel “highly prepared” for cyber-threats in this regard, the study showed.

New communication channels for customer service offer unprecedented convenience, SAS said. Unfortunately, they also introduce new threats–phishing, botnets and mobile malware being rated among the most likely and most damaging, according to the survey.

Moreover, lack of senior executive awareness was common–more than half (54 percent) of survey respondents said financial losses are not high enough from cyber-attacks to warrant board-level attention. “This is partly because most organizations handle security as an extension of IT rather than viewing it as an operational risk,” said Christopher Smith, director of cyber-strategies at SAS, in a statement.

Today, threats must be evaluated in the appropriate context and prioritized accordingly, SAS said. For example, the report indicates financial losses are typically low for distributed denial of service (DDOS) attacks, which are politically motivated and primarily designed to block access to Websites or online Web services to garner media attention. But it is short sighted to not also consider the loss of customer trust and the risk of tarnished reputation that result from such attacks.

“Though cyber-security is clearly a cross-industry issue, financial institutions are leading a trend toward convergence of fraud and cyber-crime prevention technology and operations in support of a holistic approach to cyber-security,” said Stu Bradley, director of security intelligence Solutions at SAS, in a statement. “This strategy will require new capabilities, not least to fill gaps in the technology marketplace as part of solving the biggest data challenges to date, and in proactively using better analytics to make real-time, risk-based decisions.”

The SAS-sponsored report recommends that banks need a holistic view of cyber-threats, treating them as operational, enterprise-wide risk.

Absence of information was also a recurring theme, evidence that the value of big data depends upon proper analysis for making better decisions, SAS said. The report states “this is particularly relevant for cyber-security, as not all threats are equally severe and must be prioritized accordingly.” Interviewees bemoaned a lack of key risk indicators that would better position them to accurately evaluate threats alongside any organizational weaknesses.

Nearly one in three respondents rated limited customer awareness as a key challenge. Still, less than one in four banks believes internal resources are highly prepared–which is far easier to resolve than external customer attitudes.

Meanwhile, one of the report’s conclusions is that organizations need context-aware analytics to become proactive. By pairing big data assets and high-performing analytics, organizations can spot trends and pre-empt possible attackers. Analytics enables banks to create risk-based responses to potential incidents. This supports the report’s realization that organizations must elevate cyber-security from a technical problem to a broader, risk-based strategy.

“Context-aware security applications have access to more data about what is happening at the moment, and can respond with a wider range of behaviors that are tailored to current conditions,” said Avivah Litan, co-author of the Gartner report, “Innovation Insight: Innovation Drives Seven Dimensions of Context-Aware Enterprise Security Systems” and distinguished analyst at Gartner. “This capability is particularly helpful to enterprise security management because there is no such thing as ‘absolute trust.’ A decision to let a transaction proceed based on its perceived risk is not made under black-and-white conditions, but rather is best arrived at by gauging the probability of risk incurred by letting the transaction execute.”

The Longitude Research Cyberrisk in Banking report underscores the need for banks to better manage, monitor and risk-rate the threats they face. To help organizations combat cyber-attacks, SAS is expanding its portfolio of fraud and security intelligence solutions to further address cyber-crime in 2014, the company said.