Addressing the ‘Vulnerability Lag’: how financial services companies can safeguard their data assets

The rush to digitally transform over the past two years, during the height of the COVID-19 pandemic, has left many organisations dangerously exposed to data threats, such as ransomware. When businesses introduce new solutions to their technology stack, protection capabilities need to be extended to cover them. However, faced with a global pandemic that no one could’ve seen coming, businesses needed to innovate fast, and their security measures struggled to keep pace. Financial services organisations were especially stretched by these challenges, as employees shifted to remote working, more services moved online, and new products were introduced at speed.

This change created a ‘vulnerability lag’, where systems and data have been left unprotected and open to attack. And while businesses were right to prioritise continuity for customers and empowering the shift to remote working, the time has come to redress the balance between rapid innovation and security, to protect from increasingly sophisticated cybercriminals.

The harsh reality

Cybercrime is set to cost the global economy $10.5 trillion annually by 2025. Industry research reveals that, in the UK, the average cost of a ransomware attack is around £1.5 million. All things considered – the potential regulatory penalties, the impact of downtime, the cost of losing data that may be irretrievable – the financial repercussions for failing to protect your data could be crippling.

But the cost of an attack often goes far beyond the monetary value a company will pay out in potential ransom payments and penalties for regulatory non-compliance. Trust is the biggest loss a company could ever face – when customers lose their trust in an organisation to secure and protect their data, it’s very difficult to win it back, especially for an industry such as financial services.

Building an industry on collecting and using highly sensitive customer data is a double-edged sword – while financial services companies can take advantage of a vast pool of valuable customer data to offer personalised services and explore new revenue streams, if this data falls into the wrong hands, it could damage livelihoods beyond repair. This makes the industry a very attractive target for cybercriminals.

Many financial services organisations globally are not managing their data as well as they could be. According to recent Veritas research, companies in the financial services space are more likely to be struggling to keep pace with their security than those from most other sectors, with nearly half (48%) stating that their data security is lagging behind their digital transformation deployments. The average across all industries is 39%.

Further, financial services organisations that want to eliminate their vulnerability lag within a year would need to spend on average an additional £1.99 million and hire 29 new members of IT staff each.[1] £1.99 million is 5% more than the average required across all sectors, which may be disappointing news for IT leaders in the sector, given that they already typically spent 19% more than their peers on IT initiatives last year.

Surviving any kind of ransomware attack always starts with understanding your data – what it is, where it is and what it’s worth. Yet, most businesses lack clarity about the data they might need to protect, with the average UK organisation admitting that 39% of the data their organisation was storing is “dark” – that is to say, they don’t know what it is – and that a further 51% is Redundant, Obsolete or Trivial (ROT).

Where there’s a will, there’s a way

While the pressures that rapid digital transformation put on IT departments weren’t unique to the financial services sector, its position as a highly attractive target to hackers may have meant that the industry has felt them more acutely. With hackers beating at the door and limited resources to push them back, as well as tightening industry regulations, it can feel like the IT teams are between a rock and a hard place.

But astute IT leaders are partnering with data protection providers that can minimise the admin burden of data protection through simplified tools leveraging artificial intelligence (AI) and machine learning (ML). Taking this approach can help financial services organisations accelerate their security rollouts and stop their protection infrastructure from lagging behind their digital transformation.

That’s not to say that AI will replace talent, far from it. Businesses now have an opportunity to direct their newly hired talent to focus on innovation projects, rather than on ‘catching up’. Modernising data protection can play a key role in freeing up skilled IT team members to work on transformation projects by allowing AI and ML to shoulder more of the burden of time-consuming manual processes. Ultimately, these processes can still be human-governed, with AI doing the leg work.

Despite any company’s best efforts, ransomware attacks are a matter of ‘when’ rather than ‘if’, so knowing ‘when’ becomes absolutely critical. What distinguishes one victim from another is their ability to resist and bounce back.

As the Greek philosopher, Heraclitus, is famously quoted saying, “change is the only constant in life”. And financial services organisations are going to need to be ready to adapt again and again to keep up with the pace with the ever-evolving market. The questions you need to ask yourself are: what is your critical data and where does it sit? Do you have the ability to detect vulnerabilities early? Do you have full confidence in your recovery plans, and how fast can you recover your data at scale? If you can answer these questions, your security posture will be enhanced substantially.

[1] Figure converted from $2.61 million using the latest exchange rate at the time the report was published.