Prior to the pandemic, financial institutions spent an average $2,700 on cybersecurity per full-time employee, up from $2,300 the previous year. COVID-19 now drives the need for companies to doubledown on cybersecurity going forward, according to a study from Deloitte’s cyber risk and strategic risk services group in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
The allocation represents more than a tenth of organizations’ IT budgets, increasing slightly to 10.9 percent, up from 10.1 percent, according to data that was collected from 53 institutions late last year through January.
The third annual report from Deloitte and FS-ISAC also found that more than half of the spending went collectively to cyber monitoring and operations, endpoint and network security, and identity and access management.
COVID-19 has resulted in vast challenges for the financial sector’s cybersecurity challenges, the study noted.
“Looking ahead, given the tough macroeconomic conditions arising from the COVID-19 pandemic, many companies will likely be taking a hard look at whether they need to cut expenses across the board,” the report stated. “Financial institutions, however, should be particularly judicious before making a reduction in cybersecurity budgets. Given the increased push toward digitization and the challenges raised by new, often remote work environments, as well as an increase in insider threats, cyber risks confronting most organizations are intensifying.”
Increased pressure on boards and executive management teams of financial institutions has contributed to the cybersecurity focus.
Rapid IT changes and rising complexities ranked as the top challenge in managing cybersecurity for the past three years, while the second biggest challenge was the unavailability of skilled cyber professionals to help secure systems in such a rapidly evolving IT environment.
The third biggest challenge was business growth and expansion, which may recede for the time being, as companies have generally shifted focus from growth to pandemic response and recovery.
Researchers found:
- Cybersecurity organizations will need to quickly adapt to this new operating environment by implementing enhanced controls and endpoint protection technologies to exert greater control over end-user devices.
- With lines blurring among employees, customers, contractors, and partners/vendors in general, firms should consider implementing “zero trust” principles for access since the organization’s perimeter is essentially gone. Every transaction involving flow of data, whether it be through networks, applications, users, devices, or workloads, should be controlled for least privileged access.
- Companies should digitally enable their cyber function to improve agility and automation. Weaving security-by-design principles into IT service development and embedding cybersecurity requirements into the architecture and design stages of the software development lifecycle could help companies get ahead of evolving threats.