April 17, 2023 By Jonathan Reed 4 min read

Financial service companies are undergoing a near-continuous digital transformation. As the competition heats up, banks must implement cutting-edge technologies to improve operations and enhance the customer experience. But this shift toward modernization comes with conditions, such as an increased focus on security.

Since the beginning of the Russia-Ukraine conflict, the banking sector has faced an 81% surge in cyberattacks. Nevertheless, financial companies in the UK have demonstrated a high level of confidence in their ability to handle these risks, per a report from Bridewell. According to the study, a surprising 94% of all financial firms surveyed expressed confidence in their ability to fend off attacks.

Given the aggressive threat landscape, what’s behind such a high level of confidence?

Optimism based on performance

The financial sector appears to be the most optimistic when it comes to its security measures, according to Bridewell. The vast majority of the industry’s decision-makers express a sense of confidence. This self-assurance is not without reason, as the industry outperforms all other UK CNI (Critical National Infrastructure) sectors in detecting and addressing threats.

According to the report, financial service companies have an average of 13 days to identify a potential threat. The second best performing sector, communications, takes twice as long at 28 days. Compared with other CNI sectors during the past year, financial firms also experienced the lowest increase in successful attack volume. The report also points out that UK cybersecurity incidents in the financial sector climbed 52% year-on-year to 116 in 2021.

Cyber warfare risk vs. worry

Compared to other CNI sectors, UK financial firms don’t worry as much about the cyber risk associated with real-world military conflict. For example, 93% of transport and aviation companies are concerned about the threat of cyber warfare. Meanwhile, 80% of government entities also worry about attacks related to war. But only 76% of financial services are worried about the cyber war threat.

This is understandable: the stakes are higher for transportation, and attackers frequently target government offices. But financial companies witnessed the second-largest rise in cyberattacks since the war in Ukraine broke out, at 81%. Still, the banks remain confident.

Which risks are most concerning

Despite overall confidence levels, the UK financial sector is acutely aware of the risks. The top security concerns for financial firms named in the Bridewell report include the following:

  • Malware (40%)
  • Phishing and ransomware (tied at 33%)
  • Data theft or misuse (30%)
  • Business email compromise or BEC (27%).

Cloud security issues and banking

With financial services companies increasingly adopting the cloud, worry over cloud security has also risen. As per Bridewell, research published by the Bank of England shows banking institutions are increasingly dependent on Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) products. Also, the Cloud Security Alliance found that nine out of 10 financial services organizations were using cloud services in 2020 or planned to use them in the next six to nine months.

Despite concerns about cloud security, financial companies use cloud infrastructure for highly sensitive and restricted workloads. Nearly a fifth of such workloads operate in the cloud. While this allows for improved operational agility, it also introduces new risks compared to traditional IT infrastructure.

Unsurprisingly, 46% of respondents in the financial services sector identify cloud services as the top attack route. Meanwhile, remote employees (39%) and insecure VPNs (37%) are also at the top of the sector’s security concerns.

Are the banks spending more?

You might guess that the financial sector spends more on security than other sectors. Could this explain the high level of confidence in their security? Amazingly, the report shows that companies in this industry actually spend the least on cybersecurity, at 32% of their IT budget.

Comparatively, financial services companies are not expected to increase that expenditure more than other sectors. This year, financial companies expect to boost their cybersecurity budget by an average of 22%. This is only half a percentage away from the mean cross-sector average.

The authors of the Bridewell report speculate that financial companies take an intelligent, priority-driven approach to security. Also, banks understand how to invest in cybersecurity to achieve superior results.

Another explanation could be that the sector invested heavily in digital security years ago ahead of other industries. Lesley Ritter, VP and senior analyst at Moody’s, said, “They have been dealing with cyber threats for well over a decade while at the same time being quick adopters of digital technology, which has the potential of making them more vulnerable. This heightened awareness translates into the banking sector standing out relative to other industries in terms of investment in cybersecurity, ability to attract scarce cyber talent and broad adoption of risk mitigation practices.”

Confident teams

The results of Bridewell’s survey reinforce the idea that the financial sector recruits (and protects) quality talent for key cybersecurity positions. The report states that staff in the banking industry are far less worried about losing their jobs due to a cyberattack. Only 68% worry about their job security in the event of an attack. Meanwhile, 96% of employees in communications companies fear losing their jobs if an attack occurs.

The right attitude

According to Bridewell, the financial sector has demonstrated an advanced level of readiness and resilience to face the complex world of cyber threats. The report says, “It is notable that the primary pressure to improve cybersecurity in the financial sector comes not from customers, but from the business itself. This suggests that managers are attuned to these threats and engaged in mitigating them.”

This means banks take a fully proactive stance when it comes to security. Instead of waiting for incidents to happen, the financial sector appears to study the terrain and seek adequate solutions beforehand. Undoubtedly, the stakes in sectors such as transportation are higher. The risk to human safety is a crucial consideration. But banking businesses are built on trust. If customers lose that trust, they will take their money elsewhere. It appears that the financial services realized early on that strong security is essential to a successful business strategy.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today