Storage & backup security in the financial services and banking sector – Highlights from the 2021 survey report

The financial industry is rightfully alarmed by the increase in both the amount and sophistication of data-centered attacks – primarily ransomware. 

We’ve all read the news. This is no longer a question of if, but how. 

When an organization’s data is compromised, the last line of defense is its storage and backup environments. The fact that so many financial services organizations eventually choose to pay the ransom simply because they see no other solution, leads to serious concerns regarding the industry’s storage and backup security maturity. 

But how do security teams prepare for these rising risks?

Sometimes the best way for CISOs to plan ahead is by first knowing enough about rising trends and following the influencers. 

CISO MAG & Continuity Security Intelligence Report – the first of its kind – has just been released, revealing key trends in storage and backup security management. Sampling 200 security experts from financial services firms and banks from 45 countries, the survey is the result of a collaboration between Continuity and CISO MAG.

Topics surveyed: 

• The scope and focus of organizational vulnerability management
• The impact of storage attacks
• Confidence level in the ability to recover from ransomware attacks, and in the security of storage and backup systems
• Identity of protected entities
• Assessment and measurement of security configuration and vulnerabilities
• Top challenges to securing storage and backup
• Maturity of organizational security configuration baselines

Insights 

In search of structured analysis of the market maturity, challenges, and gaps, we were shocked to discover that too little work was done. 

The perceived impact of storage attacks: We all know it’s bad…

Nearly 70% of respondents believe an attack on their storage environment will have ‘significant’ or ‘catastrophic’ impact. 

In the financial and banking industries, digital data worth may be so high that a well orchestrated attack on both storage and backup could wipe out a significant amount of the organization’s value, potentially affecting entire economies.

Confidence level in storage security and recoverability: We bear no good news 

Confidence among security teams is usually derived from technical capability, availability of resources and infrastructure, and proven compliance with industry standards.

When asked about the level of confidence in the organization’s ability to recover data in the event of a ransomware attack, almost 60% of respondents mentioned that they are not confident in their ability to recover from such an event.

Security auditing: Paying closer attention to storage and backup

Financial services is one of the most heavily regulated industries. Audits are performed both internally and externally and tend to evolve year-over-year based on advances in technology, industry regulation changes, and shifts in the threat landscape.

It was interesting to learn how pervasive storage and backup security controls have become, as part of IT auditing. In fact, more than two-thirds of respondents identified securing storage and backup being specifically addressed in recent external audits.

And yet, storage and backup systems are the two lowest focus areas of organizations’ vulnerability management programs

We all know that establishing a focus area for vulnerability assessment and management processes is an effective step towards strengthening an organization’s information security. Therefore, the fact that storage and backup are low on the list of priorities (the two least focused upon points) definitely shows there is a gap we, as an industry, need to close.

Maybe this finding is not that surprising given the fact that data storage, backup, and recovery management have always been demanding tasks. 

However, given that storage and backup compromise are at the heart of all current ransomware kits, surely the time has come for us to boost our knowledge – as well as our strategies – in protecting and hardening our  storage and backup systems.

To summarize: Storage and backup security maturity is surely the gravity of the hour

Storage and backup security is an evolving practice. Given how lucrative organizational data and its growing business value have become, it is important to realize that we are all in an arms-race with cyber criminals. 

The honest feedback provided by the participants of this survey shows that there is still much to be desired. Most financial services firms and banks have not yet reached a satisfactory level of storage and backup maturity.

The 5 key opportunities for improvement include: 

1. Assigning higher priority to improving the security of storage and backup
2. Building knowledge and skill sets
3. Improving collaboration between Infosec and IT infrastructure teams
4. Defining comprehensive security baselines for all components of storage and backup
5. Using automation to reduce exposure to risk and allow much more agility in adapting to changing priorities

…and much more.

Read the full report to learn more

Security Intelligence Report

Analysis of Storage & Backup Security in the Financial Services & Banking Sector