Banks are known for their strong security efforts and better-than-average protection from hacking. As we discussed previously when introducing a metric to compare the Hackability of different organizations, banks are among the top three best-protected industries according to the SRLabs Hackability Score.
Banks’ security advantage has two potential root causes:
The difference between these two drivers is measurable in the sub-scores of the SRLabs Hackability Score:
We find this unevenness in our measurement, confirming that compliance to banking regulation is a driver behind banks’ security advantage:
Banks perform better than other industries in hardening their Internet-exposed assets. Asset hardening can be achieved through checklists and top-down compliance.
Security operations excellent including patching, is more difficult to achieve through check lists and compliance, making issues arising from bad security operations less responsive to regulation. As expected, banking, which is highly regulated compared to other industries, has a disproportionally high share of missing patches.
In absolute terms, banks have fewer issues relative to other industries. However, banks also invest significantly more into information security than other industries. The resulting gap between banks and non-banks security is smaller than the differences in security budget would suggest.
There could be many additional factors contributing to the higher than expected Hackability of banks, but the trend is clear; while banks are better protected on average, something keeps their attention away from security maintenance tasks such as patching. We think that regulation is partly responsible for this attention skew.
Banking regulation does have a measurable effect, but not necessarily a positive one: Banks appear to spend their large security budgets on comprehensive hardening. Beyond this core topic of security compliance, banks have surprisingly average security levels. For example, banks’ performance around credential and authentication management, and limiting the exposure of management interfaces to the Internet is underwhelming. The overall security level is determined by these weaker links of the protection chain.
Our research data suggests that if banks would spend their large security budgets more similarly to those in other industries who typically follow security evolution over security compliance, their efforts in lowering Hackability would be more effective.