Throwing more resources at IT security may not be the best way to tackle cyber crime, according to a report by Ernst & Young.
In a survey of 250 financial institutes, EY found that 28% of respondents were most likely to see the biggest threat emanating from external hackers.
The survey found that a significant proportion of finance professionals also saw threats coming from technical systems vulnerability (23%) and employees (21%).
In the Cybersecurity: Balancing risks and controls for finance professionals report, Richard Brown, a partner in EY’s IT Risk and Assurance practice, said: “The first step is to understand the business risks associated with the cyber threat. IT exists to enable the organisation – not as an end in itself.
“Once organisations have identified the business risks that are causing concern, then they can target their security investment appropriately. There is also a cost-benefit discussion to be held – achieving maximum security may require a disproportionate spend.”
The report warned that some of the digital security offered by IT departments may become misaligned with organisational priorities.
“Security has become synonymous with compliance, and response frameworks have been too focused on technology and bolt-on upgrades. Lines of accountability may be unclear, particularly in terms of who is responsible for a response to a breach. Boardrooms increasingly recognise this isn’t just a matter for technologists, but for them too,” said Brown.
“Risk can be good for business – it’s how companies make a profit,” he stated.
“Finance can question IT and security departments about what they are trying to protect and why. Finance can explain that IT and security should be an enabler, not a constraint on business, and that some degree of risk is acceptable, even necessary.
“Finance can also encourage organisations to review their security policies to ensure they form a simple set of guidelines that employees are made aware of and understand.”
