The financial sector and its operating environment are subject to strict regulation. New rules and recommendations on the sector’s cybersecurity are currently being prepared in European networks of authorities. Side by side with the legally binding requirements, the expectations of customers and stakeholders are also growing. In the constantly changing digital environment, information processing and service provision must be secure and in compliance with data protection provisions under all circumstances.
The financial sector’s entire business is based on trust. To foster this trust, the sector needs to be open-minded in its search for new ways to keep its customer data secure. Our approach to cybersecurity must be not to treat it as a separate, self-contained objective, but instead, to integrate it into business strategies, corporate social responsibility and corporate culture. Promoting a culture of cybersecurity requires extensive cooperation both within and across company boundaries. Key players in this cooperation are risk management, ICT and communications specialists and legal experts.
So far, cybersecurity discourse is too focused on negative themes. We get daily news about threats: data breaches, stolen customer information, and different kinds of frauds and cons. However, dwelling on the negative weakens a company’s ability to face new risks and threats. The trick is to turn cybersecurity into a competitive advantage. Indeed, this is a challenge everyone in the financial sector should now take up.
Communicating to management and personnel about cybersecurity matters in a positive light is important. It will also build a culture of security that both elicits confidence and is respectful towards customers. While entirely possible to attain, this aim will demand new models of thought and action. Positive attitude and transparency will help build a corporate image that communicates the company’s investment into maintaining customer security.
Cybercrime is often very opportunistic – anyone can become a victim. Moving from defensive to offensive cybersecurity will improve the chances of identifying and reacting to new risks. Companies can, for example, test their own services using the same tools and means of attack that online criminals use. Joining up with actors who bring new data security ideas to the table will also elevate things to a new level. The offensive model is brimming with cyber geek slang such as white hat, self-inflicted denial-of-service attack, bug bounty program, red teaming exercise, and threat hunting. Communicating this approach across to the executive level and into practical implementation will change the traditional risk map of security but will also, above all, inject a morsel of positive cybersecurity on the executive agenda.
Our shared responsibility is to maintain trust and confidence – in the cyber world, but just as much in real life, in these globally dire conditions.
This column is part of a series where Finance Finland member companies talk about responsibility in the financial sector.