Balancing cybersecurity investment: Addressing threats for highly regulated industries

In today’s digital landscape, cybersecurity investment is a top priority for organizations in highly regulated industries like financial services, healthcare, and government. As cyber threats become more sophisticated, mutual ADIs, banks, credit unions and other regulated entities must strategically invest in cybersecurity measures to safeguard sensitive customer data and maintain trust.

However, for many organizations, finding the right balance between cyber protection and cost management remains a challenge. How can regulated companies fortify their cybersecurity postures without breaking the bank?

Here at Experteq, we witness firsthand the unique challenges faced by highly regulated industries including, Mutual ADIs, financial services and government organisations in maintaining a strong cybersecurity posture. In today’s rapidly evolving threat landscape with many high-profile cyber breaches, finding the right balance between investing in cybersecurity measures and managing the potential costs of a breach is a critical concern for organisations looking to maintain their trusted position with members.

Unpacked below are some of the biggest security and compliance challenges faced by the sector today.

• Financial fraud

For mutual banks specifically, financial fraud poses a significant risk, taking various forms such as account takeovers, credit card fraud, and wire transfer fraud. However, other industries such as healthcare, pharmaceuticals, and technology, particularly those dealing with financial transactions, are not immune to the risks of financial fraud.

• Phishing and social engineering

Cybercriminals often use phishing and social engineering tactics to target organisations in all industries, exploiting the trusting nature of their potential target. Over 90 per cent of cyberattacks begin with a phishing email. But it’s not just on the receiving end of a phishing attack that organisations should expect to find people; regular people are also the ones perpetrating cybercrime. The demand for getting initial access to an organisation is so high that it has its own dedicated market of cyber threat actors called initial access brokers (IABs).

• Third-party and supply chain risks

Organisations across industries rely on third-party vendors and partners for various services. More often than not, this interconnectedness introduces additional vulnerabilities. In fact, a Forrester report found increased reliance on third parties to be one of the top drivers of increased enterprise risk. The SolarWinds compromise, where threat actors capitalised on a third-party vulnerability to gain access to Microsoft, Intel, Cisco, and a long list of US federal agencies, is a major example and has alerted organisations to the need for better third-party risk management (TPRM).

• Compliance with Australian regulations

For financial services organisations, compliance with specific requirements of Australian Prudential Regulation Authority (APRA) standards is essential. Co-ops and mutuals are also required to comply with the Australian Privacy Principles (APPs) under the Privacy Act. These organisations are expected to have a clear and up-to-date privacy policy that outlines the information they collect, how it is used and how it is protected. Lastly, organisations need to stay aware of legislation changes both at the federal and state levels such as the upcoming amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) in NSW.

Strategies for fortifying cybersecurity investment and balancing cost

While the risks are many, cybersecurity solutions are constantly evolving to help secure organisations’ digital frontiers. Equally, organisations are taking it upon themselves to keep cybersecurity risks front of mind for their people–including staff and customers–through open and honest dialogue as well as regular awareness, and training programs. Organisations are no longer seeing cybersecurity investments as a cost and focusing instead on the invaluable returns: strengthened security posture and ongoing customer trust. Summarised below are the key considerations for a well-rounded security strategy.

• Implement a robust risk management framework

Comprehensive risk management begins with frameworks that cover all aspects of cyber risk. An effective risk management framework should include regular risk assessments, prioritisation of critical assets, and ongoing monitoring of the organisation’s security posture. An Information Security Management Systems (ISMS) framework or a National Institute of Standards and Technology Cyber Security Framework (NIST-CSF) are commonly used to manage risks.

• Enhance authentication measures

Adopt multi-factor authentication (MFA) for both employees and customers to reduce the risk of unauthorised access to sensitive data and systems. Implementing strong password policies and leveraging biometric authentication (where available) can further enhance security across various industries.

• Develop a comprehensive incident response plan

Prepare for eventualities by developing a comprehensive incident response plan that outlines the steps to detect, contain, and recover from a breach. This will vary between organisations and will need to be tested regularly and updated to ensure effectiveness.

• Strengthen employee and customer awareness

Provide ongoing security awareness training and information for employees and customers to help them recognise and respond to potential threats, such as phishing attacks and social engineering tactics. This training should be tailored to the unique risks and updated regularly to address emerging threats.

• Monitor and manage third-party risks

Conduct regular assessments of third-party vendors and partners to ensure they meet your organisation’s security standards. Implementing contractual clauses that outline security expectations and requirements can help reduce third-party risk and maintain a secure supply chain across various industries.

• Leverage cost-effective cybersecurity solutions

Strengthening your security posture doesn’t have to break the bank. Organisations can balance the cost-benefit equation of cybersecurity investments by leveraging cost-effective solutions such as open-source tools, cloud-continuous evaluation and adjustment-based services. Outsourcing certain security functions to managed service providers to achieve a high level of protection at a fraction of the cost of in-house solutions is another effective workaround.

• Invest in cyber insurance

While not a substitute for robust cybersecurity measures, cyber insurance is increasingly becoming the go-to for organisations looking to manage the financial risks associated with a cyberattack. It’s reported that in 2010, cyber insurance premiums totalled just $600,000 compared to $10 billion by 2021. The global cyber insurance market is expected to grow 20% annually and reach US $23 billion in underwriting premiums by 2025. By providing coverage for expenses related to incident response, legal fees, and regulatory fines, cyber insurance can help businesses recover from security incidents faster.

• Evaluate continuously and adjust where necessary

The threat landscape is constantly evolving, making it essential for organisations to regularly evaluate and adjust their cybersecurity investments. By staying informed of emerging threats and industry trends, businesses can make informed decisions about where to allocate resources and how to adapt their security strategies. Browsing resources on the Australian Cyber Security Centre (ACSC) and Cybersecurity and Infrastructure Security Agency (CISA) websites and signing up for alerts can be a great first step.

In an increasingly connected world, the importance of effective cybersecurity cannot be overstated. By taking a proactive approach to cybersecurity organisations can not only protect valuable assets but also maintain the trust of their members, customers and stakeholders.