The days when compliance was the key to security are over

Under strict controls, financial markets are traditionally run. It used to be an enterprise. If it is a bank or an investment management commission, it does little in an arbitrary manner. It is important to focus the actions of everybody in this sector on such legislation. And these rules have been developed mainly for customer safety, and that’s why they have a lot of cybersecurity throughout them.

Unfortunately, though the nuances of cybersecurity protocols in the past or today are not understood for those who have to work on protection legislation themselves. In other words, without understanding precisely what would potentially mitigate risk factors in the financial sector, legislation were developed. This is why compliance protocols such as ‘checklist search’ and ‘box check’ have been added to please those making the rules. But there’s a case where the security gets hacked even though you’ve kept everything you need to keep.

For example in the case of vulnerability fixes, financial sector regulations concentrate on ‘reducing risk by closing open security gaps quickly’. They seem to be in the right direction at first sight, but they forget the apparent problem. That means no entity can avoid all vulnerabilities on the planet. It’s a law that has no reality whatsoever, but who can comply with this properly?

Fortunately, in terms of “crisis management,” the banking industry has a history and culture. Organizations and firms have now started to implement risk-driven hazard detection approaches based on analytical evidence rather than regulatory-specified procedures. Has ‘true protection’ changed, then?

As example an agency, Kenna Defense, has recently launched some research to address these concerns. It has been revealed from the outset, though that without further study, the financial services sector is facing great difficulties. Second, security flaws found in financial companies were four times those of other industries’ organizations on average. That’s because the bulk of financial organizations’ digital properties are not only massive in scale, but often also make for different purposes.

That doesn’t mean that four times more risky than other sectors is the finance sector. This is because not all flaws relate to security threats. In fact, hackers currently use just 5 percent of these vulnerabilities to strike. This suggests that it is secure to correctly patch one out of 10 bugs for general businesses.

The financial services sector is reasonably good at vulnerability patching. Almost 85 per cent of bugs found are patched without losing them. As this is an estimate, it indicates that there are occasions where patch control is at a degree of 85% based on the organisation. That’s a big shame. It is definitely commendable because at this high pace, it maintains four times as many as normal organisations. Hence, relative to incoming attack attempts, the finance sector is safe from incidents. A shock, while it is extremely unforgettable, is one event.

The definition of ‘risk assessment’ comes from the DNA of most companies providing financial services. Thus the risk is well handled (vulnerability is danger). Many cyber criminals love using well-known threat vectors and attack techniques. This is how it will decrease investment risk. The latest hacking technique of Zerodayi is a hot topic, but in fact, the appearance of being subjected to the same attacks and vulnerabilities has been replicated for years in the field. Moreover, it is both unrealistic and inefficient to ‘hide all weaknesses’.

Any business will find out bugs that are extremely successful when patched using advanced tools and data science technology. And the application of this ‘instrument’ and ‘data science’ does not vary significantly from the standard view of risk control. And we’re seeing through the banking market the benefits of doing that well. It is not flawless, but with injuries well below the norm, the new financial sector avoids attacks that surpass the average.

I’m not suggesting, though, that anyone can emulate, that the financial sector’s security situation is now fine. I wanted to point out, though that the pattern is changing from ‘safety = enforcement’ to ‘security = risk management’. I would also like to commend the stringent legislation for the financial industry to apply and lead this trend on its own. Protection appears to be conservative at first sight, like this but I hope all businesses know that behind it a continuous revolution is required.

Unfortunately, though the nuances of cybersecurity protocols in the past or today are not understood for those who have to work on protection legislation themselves. In other words, without understanding precisely what would potentially mitigate risk factors in the financial sector, legislation were developed. This is why compliance protocols such as ‘checklist search’ and ‘box check’ have been added to please those making the rules. But there’s a case where the security gets hacked even though you’ve kept everything you need to keep.

For example in the case of vulnerability fixes, financial sector regulations concentrate on ‘reducing risk by closing open security gaps quickly’. They seem to be in the right direction at first sight, but they forget the apparent problem. That means no entity can avoid all vulnerabilities on the planet. It’s a law that has no reality whatsoever, but who can comply with this properly?

Fortunately, in terms of “crisis management,” the banking industry has a history and culture. Organizations and firms have now started to implement risk-driven hazard detection approaches based on analytical evidence rather than regulatory-specified procedures. Has ‘true protection’ changed, then?

As example an agency, Kenna Defense, has recently launched some research to address these concerns. It has been revealed from the outset, though that without further study, the financial services sector is facing great difficulties. Second, security flaws found in financial companies were four times those of other industries’ organizations on average. That’s because the bulk of financial organizations’ digital properties are not only massive in scale, but often also make for different purposes.

That doesn’t mean that four times more risky than other sectors is the finance sector. This is because not all flaws relate to security threats. In fact, hackers currently use just 5 percent of these vulnerabilities to strike. This suggests that it is secure to correctly patch one out of 10 bugs for general businesses.

The financial services sector is reasonably good at vulnerability patching. Almost 85 per cent of bugs found are patched without losing them. As this is an estimate, it indicates that there are occasions where patch control is at a degree of 85% based on the organisation. That’s a big shame. It is definitely commendable because at this high pace, it maintains four times as many as normal organisations. Hence, relative to incoming attack attempts, the finance sector is safe from incidents. A shock, while it is extremely unforgettable, is one event.

The definition of ‘risk assessment’ comes from the DNA of most companies providing financial services. Thus the risk is well handled (vulnerability is danger). Many cyber criminals love using well-known threat vectors and attack techniques. This is how it will decrease investment risk. The latest hacking technique of Zerodayi is a hot topic, but in fact, the appearance of being subjected to the same attacks and vulnerabilities has been replicated for years in the field. Moreover, it is both unrealistic and inefficient to ‘hide all weaknesses’.

Any business will find out bugs that are extremely successful when patched using advanced tools and data science technology. And the application of this ‘instrument’ and ‘data science’ does not vary significantly from the standard view of risk control. And we’re seeing through the banking market the benefits of doing that well. It is not flawless, but with injuries well below the norm, the new financial sector avoids attacks that surpass the average.

I’m not suggesting, though, that anyone can emulate, that the financial sector’s security situation is now fine. I wanted to point out, though that the pattern is changing from ‘safety = enforcement’ to ‘security = risk management’. I would also like to commend the stringent legislation for the financial industry to apply and lead this trend on its own. Protection appears to be conservative at first sight, like this but I hope all businesses know that behind it a continuous revolution is required.