April 17, 2023 By Jonathan Reed 4 min read

Financial service companies are undergoing a near-continuous digital transformation. As the competition heats up, banks must implement cutting-edge technologies to improve operations and enhance the customer experience. But this shift toward modernization comes with conditions, such as an increased focus on security.

Since the beginning of the Russia-Ukraine conflict, the banking sector has faced an 81% surge in cyberattacks. Nevertheless, financial companies in the UK have demonstrated a high level of confidence in their ability to handle these risks, per a report from Bridewell. According to the study, a surprising 94% of all financial firms surveyed expressed confidence in their ability to fend off attacks.

Given the aggressive threat landscape, what’s behind such a high level of confidence?

Optimism based on performance

The financial sector appears to be the most optimistic when it comes to its security measures, according to Bridewell. The vast majority of the industry’s decision-makers express a sense of confidence. This self-assurance is not without reason, as the industry outperforms all other UK CNI (Critical National Infrastructure) sectors in detecting and addressing threats.

According to the report, financial service companies have an average of 13 days to identify a potential threat. The second best performing sector, communications, takes twice as long at 28 days. Compared with other CNI sectors during the past year, financial firms also experienced the lowest increase in successful attack volume. The report also points out that UK cybersecurity incidents in the financial sector climbed 52% year-on-year to 116 in 2021.

Cyber warfare risk vs. worry

Compared to other CNI sectors, UK financial firms don’t worry as much about the cyber risk associated with real-world military conflict. For example, 93% of transport and aviation companies are concerned about the threat of cyber warfare. Meanwhile, 80% of government entities also worry about attacks related to war. But only 76% of financial services are worried about the cyber war threat.

This is understandable: the stakes are higher for transportation, and attackers frequently target government offices. But financial companies witnessed the second-largest rise in cyberattacks since the war in Ukraine broke out, at 81%. Still, the banks remain confident.

Which risks are most concerning

Despite overall confidence levels, the UK financial sector is acutely aware of the risks. The top security concerns for financial firms named in the Bridewell report include the following:

  • Malware (40%)
  • Phishing and ransomware (tied at 33%)
  • Data theft or misuse (30%)
  • Business email compromise or BEC (27%).

Cloud security issues and banking

With financial services companies increasingly adopting the cloud, worry over cloud security has also risen. As per Bridewell, research published by the Bank of England shows banking institutions are increasingly dependent on Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) products. Also, the Cloud Security Alliance found that nine out of 10 financial services organizations were using cloud services in 2020 or planned to use them in the next six to nine months.

Despite concerns about cloud security, financial companies use cloud infrastructure for highly sensitive and restricted workloads. Nearly a fifth of such workloads operate in the cloud. While this allows for improved operational agility, it also introduces new risks compared to traditional IT infrastructure.

Unsurprisingly, 46% of respondents in the financial services sector identify cloud services as the top attack route. Meanwhile, remote employees (39%) and insecure VPNs (37%) are also at the top of the sector’s security concerns.

Are the banks spending more?

You might guess that the financial sector spends more on security than other sectors. Could this explain the high level of confidence in their security? Amazingly, the report shows that companies in this industry actually spend the least on cybersecurity, at 32% of their IT budget.

Comparatively, financial services companies are not expected to increase that expenditure more than other sectors. This year, financial companies expect to boost their cybersecurity budget by an average of 22%. This is only half a percentage away from the mean cross-sector average.

The authors of the Bridewell report speculate that financial companies take an intelligent, priority-driven approach to security. Also, banks understand how to invest in cybersecurity to achieve superior results.

Another explanation could be that the sector invested heavily in digital security years ago ahead of other industries. Lesley Ritter, VP and senior analyst at Moody’s, said, “They have been dealing with cyber threats for well over a decade while at the same time being quick adopters of digital technology, which has the potential of making them more vulnerable. This heightened awareness translates into the banking sector standing out relative to other industries in terms of investment in cybersecurity, ability to attract scarce cyber talent and broad adoption of risk mitigation practices.”

Confident teams

The results of Bridewell’s survey reinforce the idea that the financial sector recruits (and protects) quality talent for key cybersecurity positions. The report states that staff in the banking industry are far less worried about losing their jobs due to a cyberattack. Only 68% worry about their job security in the event of an attack. Meanwhile, 96% of employees in communications companies fear losing their jobs if an attack occurs.

The right attitude

According to Bridewell, the financial sector has demonstrated an advanced level of readiness and resilience to face the complex world of cyber threats. The report says, “It is notable that the primary pressure to improve cybersecurity in the financial sector comes not from customers, but from the business itself. This suggests that managers are attuned to these threats and engaged in mitigating them.”

This means banks take a fully proactive stance when it comes to security. Instead of waiting for incidents to happen, the financial sector appears to study the terrain and seek adequate solutions beforehand. Undoubtedly, the stakes in sectors such as transportation are higher. The risk to human safety is a crucial consideration. But banking businesses are built on trust. If customers lose that trust, they will take their money elsewhere. It appears that the financial services realized early on that strong security is essential to a successful business strategy.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today