research Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

research

53% of manufacturers say operational tech is vulnerable to cyber attack

960 640 Stuart O'Brien

Manufacturing industry security teams are seeing the information technology (IT) and operational technology (OT) environments converging at a rapid pace, but are struggling to safeguard OT assets as they are using the same tools to safeguard their IT infrastructure.

As a result, IT teams can’t keep up with growing volumes of security data or the increasing number of security alerts. They lack the right level of visibility and threat intelligence analysis and don’t have the right staff and skills to handle the cybersecurity workload.

Consequently, business operations are being disrupted and cyber-risk is increasing as more than half of the manufacturing organizations surveyed have experienced some type of cybersecurity incident on their OT systems in the last 12 months taking weeks or months to remediate. 

Those are the conclusions of a report conducted by TrapX Security in partnership with the Enterprise Strategy Group (ESG), which asked 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organisations about their current and future concerns. 

Manufacturing organizations have large and growing investments in IT and OT technology, helping them achieve more agile business processes. As the research reveals, IT and OT integration is fast becoming a best practice. Nearly half (49%) of organisations say that IT and OT infrastructure are tightly integrated while another 45% claim that there is some integration. This integration will only increase as 77% of respondents expect further IT and OT infrastructure convergence in the future. 

However, only 41% percent of organizations employ an IT security team with dedicated OT specialists, while 32% rely on their IT security team alone to protect OT assets. 58% use network technology tactics like IP ranges, VLANs, or microsegmentation to segment IT and OT network traffic. Almost one-quarter (24%) of organizations simply use one common network for IT and OT communications, reducing the visibility and response required for OT-focused attacks.

Common tools and staff may make operational sense, but deploying a plethora of IT security technologies to prepare for the specific threats of OT leaves IT teams unprepared and vulnerable to attack. As illustrated in the research, IT teams are repeatedly overwhelmed by the growing volumes of security data, visibility gaps, and a lack of staff and skills.

Security teams are getting challenged by the growing volumes of security data, and the increasing number of security alerts. 53% believe that their security operations workload exceeds staff capacity. and 37% admitted they must improve their ability to adjust security controls. More than half of surveyed organizations (58%) agreed that threat detection and response has grown more difficult. When asked to provide additional detail on the specific nature of that growing complexity, nearly half (45%) say they are collecting and processing more security telemetry and 43% say that the volume of security alerts has increased.

Manufacturers are still working in the dark though with just under half (44%) citing evolving and changing threats as making threat detection and response more difficult, particularly true as threat actors take advantage of the “fog” of COVID-19.

“The research illustrates a potentially dangerous imbalance between existing security controls and staff capabilities, and a need for more specialized and effective safeguards,” said Jon Oltsik, ESG Senior Principal Analyst and Fellow. “Manufacturing organizations are consolidating their IT and OT environments to achieve economies of scale and enable new types of business processes. Unfortunately, this advancement carries the growing risk of disruptive cyber-attacks. While organizations have deployed numerous technologies for threat detection and response, the data indicates that they are overwhelmed by growing volumes of security data, visibility gaps, and a lack of staff and skills.  Since they can’t address these challenges with more tools or staff, CISOs really need to seek out more creative approaches for threat detection and response.”

As the IT/OT attack surface grows, security teams are spread thinner as they try to keep pace with operations tasks such as threat detection, investigation, incident response, and risk mitigation. 53% agreed that their organization’s OT infrastructure is vulnerable to some type of cyber-attack, while the same number stated that they had already suffered some type of cyber-attack or other security incident in the last 12-24 months that impacted their OT infrastructure. When asked how long it typically takes for their firm to recover from a cyber-attack, 47% of respondents said between one week and one month, resulting in significant and potentially costly downtime for critical systems.

Manufacturing organizations lack the visibility needed for effective threat detection and response – especially regarding OT assets. Consequently, additional security complexity is unacceptable – any new investments they make must help them simplify security processes and get more out of existing tools and staff. 37% said they must improve their ability to see malicious OT activity, 36% say they must improve their ability to understand OT-focused threat intelligence and 35% believe they must improve their ability to effectively patch vulnerable OT assets.

44% of respondents highlighted Deception technology’s invaluable role in helping with threat research (44%), and 56% said that Deception technology can be used for threat detection purposes. More than half of the manufacturing organizations (55%) surveyed use Deception technology today, yet 44% have not made the connection between Deception technology and increased attack visibility.

“This research shows that manufacturing organizations are experiencing real challenges when it comes to threat detection and response, particularly for specialized OT assets that are critical for business operations,” said Ori Bach, CEO of TrapX Security. “This data, and our own experience working with innovators in all sectors of manufacturing, demonstrate there is a clear need for solutions like Deception, which can improve cyber defenses and reduce downtime without the need to install agents or disrupt existing security systems and operations.”

For further insights into the findings, download the full white paper, authored by Jon Oltsik, ESG Senior Principal Analyst and Fellow.

The state of the security team: Are executives the problem?

960 640 Guest Post

By LogRhythm

A global survey of security professionals and executives by LogRhythm

Amid a slew of statistics on how job stress is impacting security professionals, we sought to learn the causes of the tension and anxiety — as well understand potential ways teams might alleviate and remediate the potential of job burnout. 

We ran a global survey with security professionals and executives and investigated the tools those security professionals use to understand solution capabilities, deployment strategies, technology gaps, and the value of tool consolidation.

Key findings

“Now, more than ever, security teams are being expected to do more with less leading to increasing stress levels. With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern,” says James Carder, CSO and VP of LogRhythm Labs. “This is a call to action for executives to prioritise alleviating the stress and better support their teams with proper tools, processes, and strategic guidance.”

When asked what causes the most work-related stress, not having enough time is cited by 41 percent and working with executives by 18 percent. In fact, 57 percent of respondents think their security program lacks proper executive support — defined as providing strategic vision, buy-in and budget.

In addition, security professionals cite inadequate executive accountability for strategic security decisions as the top reason (42 percent) they want to leave their job. This is a worrying statistic, given that nearly half of companies (47 percent) are trying to fill three or more security positions.

If you are leading a security team or part of a SOC, hearing that stress is increasing in your space is likely no surprise. To keep up with the threats facing your organisation, it is clear there needs to be a cultural shift — and it must start at the top. It is no longer just the responsibility of a CISO or CSO. To ensure a company is secure, the board and executive team must supply their security team with the strategic guidance, a healthy budget, and the proper tools required to effectively do their jobs.

Further information is available in the full report, available from the LogRhythm website

STUDY: Covid-19 technologies must be regulated to stop ‘big brother’ society

960 640 Stuart O'Brien

Technologies, such as track and trace apps, used to halt the spread of covid-19 have to be thoroughly examined and regulated before they are rolled out for wider adoption, to ensure they do not normalise a big-brother-like society post-covid-19.

That’s according to research conducted by Jeremy Aroles, Assistant Professor in Organisation Studies at Durham University Business School, alongside Aurélie Leclercq-Vandelannoitte, Professor of Management of Information Systems at IÉSEG School of Management, which draws from the concept of ‘societies of control’, developed by the French philosopher Giles Deleuze, in order to analyse the technologies currently being used to tackle the covid-19 pandemic.

Whilst the study acknowledges the public health benefits of these technologies, the researchers state we must be wary of what technology is rolled out by governments and critically cross-examine these.

Dr. Aroles said: “Presented as ways to curb the immediate progression of the pandemic and improve safety, the acceptance and use of these technologies has become the new “normal” for many of us, therefore it is important that these systems of control are heavily vetted and cross-examined before being rolled out to the wider public.”

The researchers suggest three solutions regarding the development and use of covid-19-related technologies.

First, the public should question the locus of collective responsibility. Increasingly complex systems of control and surveillance have been fuelled by our reliance on technology which, the researchers say, has blurred our understanding of the boundary between “good and bad” or “right and wrong”.

Second, more must be done to raise people’s awareness of how digital technologies work, and the risks of adopting them across society. People are often, rightly, concerned over their privacy and the sharing of their data. It is therefore crucial that these technologies are transparent and actively help individuals fully understand the ramifications of the control systems they’re opting in to.

Third, given that covid-19 tracking technologies are developed by companies for the benefit of governments, it is vital that greater regulation of the partnerships between state authorities and companies is adopted. Alongside this, it is also important that counter-powers such as journalists and the public hold these partnerships to account, to ensure they do not violate the privacy of citizens for financial gain.

The researchers state that it is important the covid-19 pandemic is not utilised as an opportunity to enforce a society of control and to normalise greater surveillance. They suggest that researchers or bodies specialising in the management of information systems should be brought in to supervise the developments of digitally enabled control systems, such as covid-19 apps, and not to abandon them to companies that could violate the privacy of citizens.

‘Massive’ rise in DDoS and password attacks during pandemic

615 410 Stuart O'Brien

New analysis from F5 Labs has discovered a massive rise in DDoS and password login attacks during the pandemic.

In January, the number of all reported SIRT incidents was half the average reported in previous years. However, as lockdowns were put in place from March onwards, there was a sharp rise in incidents.

The attacks can be categorised into two buckets from January to August this year: Distributed Denial of Service (DDoS) attacks (45%) and password login attacks (43%) which comprised of brute force and credential stuffing attempts.

Other findings include:

  • DDoS attacks surge 3x in March: DDoS made up only a tenth of reported incidents in January, but grew to three times that of all incidents in March.
  • No ‘spring slump’ for DDoS: Typically, DDoS attacks see a ‘spring slump’, but these rose in April 2020. In fact, DDoS attacks targeting web apps increased six-fold from 4% in 2019 to 26% in 2020.
  • Attacks are diversifying: The number of DDoS attacks reported to the SIRT and identified as DNS amplification attacks nearly doubled (31%) this year along with DNS Query Flood which is also on the rise.
  • DDoS most popular in APAC with 83% of attacks: Meanwhile, EMEA saw the next highest with 54%.
  • 67% of all SIRT-reported attacks on retailers in 2020 were passwords attacks: A rise of 27% on last year. This was to be expected as the pandemic has caused a huge shift from in-store sales to online

Full details can be found here: https://www.f5.com/labs/articles/threat-intelligence/how-cyber-attacks-changed-during-the-pandemic.

Average cost of data breach in healthcare industry hits $7.13 million

960 640 Stuart O'Brien

The healthcare industry tops the list of the most expensive data breaches, with a $7.13 million average data breach cost, 84% more than the global average. 

That’s according to data presented by AksjeBloggen.com, which says that with millions of people working from home and using videoconferencing and cloud applications, the COVID-19 pandemic has only increased the number of malicious attacks.

The data says the global average cost of a data breach has fluctuated between $3.5 million and $4 million in recent years. In 2020, it hit $3.86 million, a 1.5% drop year-on-year, revealed the Ponemon Institute’s Cost of a Data Breach Report 2020 commissioned by IBM. The report also showed it usually took 280 days for an organization to spot and contain a breach, a day more than a year ago. However, statistics indicate these figures vary significantly based on industry.

Besides leading in the average cost of a data breach, the healthcare industry also had the highest average time to identify a violation of 329 days. The energy industry ranked second of the 17 sectors surveyed, with $6.39 million in average cost and 254 days to spot a breach. 

Financial services, pharma industry, and technology sector follow, with $5.85 million, $5.06 million, and $5.04 million in average data breach cost, respectively. 

Analyzed by geography, the United States convincingly leads among all surveyed countries with an average data breach cost of $8.64 million, a 5.5% increase in a year. Statistics also show this figure surged by 60% in the last seven years, growing from $5.4 million in 2013. Financial services represent the costliest industry in the United States in 2020, while companies and organizations need 237 days to identify a breach, compared to 245 days in 2019.

Germany leads among European countries with an average data breach cost of $4.45 million in 2020, a 7% drop year-on-year, while companies usually need 160 days to identify a data breach. 

Malicious attacks caused 52% of all breaches. Human error and system glitches follow with 23% and 25% share, respectively. Statistics also show that around 20% of companies that had been victims of a malicious breach were hacked by using stolen or compromised credentials.

The survey also revealed the number of exposed data significantly raised the total cost of a data breach. Breaches of 1 million to 10 million records cost an average of $50 million, or 25 times the average cost of a data breach in 2020. In breaches that exposed more than 50 million records, the average cost grew to a staggering $392 million. 

The five largest data breaches in 2020 exposed a total of 406.6 million records, according to DataBreaches.net statistics. In January, 250 million Microsoft customer records have been exposed online without password protection, the biggest data breach since the beginning of the year. The exposed data included customer service and support logs detailing conversations between Microsoft agents and customers from 2005 to December 2019. 

In May, 115 million Pakistani mobile user records have leaked online, the second-largest data breach this year. The same month, a massive data breach of the unknown source has exposed the records of 22 million people, including their phone numbers, addresses, and social media links.

The fourth-biggest data breach in 2020 exposed the personal data of more than 10.5 million users who stayed at MGM Resorts. Leaked files included contact details of CEOs and employees at some of the world’s largest tech companies. 

In May, British low-cost airline group EasyJet admitted it had been a target of a highly sophisticated cyber-attack, which has exposed the personal data, including credit and debit card details, of more than nine million their customers.             

Ecommerce explosion ‘opens cyber attack floodgates’

960 640 Stuart O'Brien

According to the Global Information Security Survey by Ernst and Young, customer information is the most valuable type of data for most attackers.

The threat to cybersecurity and privacy is increasing: about 6 in 10 organizations (59%) have faced a significant incident in the past 12 months, and 48% of executive boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months. 

Data breaches involving payment fraud and other issues related to online security have skyrocketed over the past few years, coinciding with the growth of the e-commerce industry, especially during the COVID-19 mandated quarantine regime. Measures to protect businesses and customers against cyber threats have never been more important.

One challenge that has grown for e-commerce businesses is that of open-source software vulnerabilities, according to NordVPN. Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.

‘’Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add in the changes COVID-19 has brought, and this problem has intensified a lot. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,’’ said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.

Another issue businesses are facing is the rise in attacks on outdated or fake plugins. When used on companies’ websites, these compromised plugins can lead to the spread of malware. One such issue is e-skimming — an attack where malware infects online checkout pages to steal payment and personal information of shoppers. E-skimming is getting more common — companies both large and small have been hit by e-skimming attacks in the past two years, and that includes big names like Macy’s, Puma, and Ticketmaster. 

Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).

E-commerce websites hold a lot of valuable data about their customers, and that makes business owners a target. Customers put a lot of trust in the merchants they shop with, providing personal data and sensitive payment information with every purchase. Earning consumer trust is critical to a continued relationship. Once lost, earning it back is really hard.

Businesses are also required to meet various compliance standards, and fines can be levied if those are not met. In case of a breach, there is a whole host of other problems to address: forensic investigation, data recovery services, credit monitoring for impacted parties, and liability insurance to help mitigate this financial risk, to name just a few.E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is the key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber attacks.

‘’Companies can start with their firewalls (including web application firewalls), making sure the connection is secure, ensuring that passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms,’’ the NordVPN Teams expert added.

Government and Financial Services best equipped to defeat cyber attacks

960 640 Stuart O'Brien

Government and Financial Service sectors globally are the most hardened against cyberattacks in 2020.

That’s according to the third edition of the Synack Trust Report, a data-driven analysis of cybersecurity preparedness across all sectors and industries, found that government and Financial Services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020.

Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.

Throughout the year, both sectors faced unprecedented challenges due to the global COVID-19 pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.

“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO and Co-Founder of Synack. “If security isn’t a priority, trust can evaporate in an instant.”

The 2020 Trust Report is grounded in data from the patented Attacker Resistance Score (ARS) Metric, which drew information directly from tests conducted on the Synack Crowdsourced Security Platform from 2019 through July 2020 — right through the COVID-19 response period. Synack calculates a unique ARS metric between 0 and 100 for every asset, assessment and organization it tests. The calculation takes into account attacker cost, severity of findings and remediation efficiency. The higher the ARS, the more hardened assets are against attack.

“The 2020 Synack Trust Report is a must-read for anyone who has ever been asked by their C-Suite, CEO, or Board: ‘Can I trust our digital systems? And how do we compare to other companies?'” wrote Michael Coden, Global Leader Cybersecurity Practice, BCG Platinion, Boston Consulting Group, in his forward to the 2020 Trust Report. “The report makes it clear that companies surviving the continuous barrage of cyberattacks are the ones that frequently test as many of their digital assets as possible with the appropriate depth and breadth to the criticality of that asset.”

Key 2020 Trust Report findings include:

The Government sector earned 61 — the highest rating

The chaos of 2020 added new hardship to many Government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking. 

Financial Services scored 59 amidst massive COVID-19 disruptions

Financial Services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous securitytesting played a significant role in the sector’s ARS.

Healthcare and Life Sciences scored 56 despite pandemic challenges

The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecuritychallenges for Healthcare and Life Sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.

Severity of vulnerabilities found on the Synack platform increases

Twenty-eight percent of the vulnerabilities discovered by the Synack Red Team, the community of ethical hackers working on the Synack platform, were considered high, very high or critical. Synack leads the industry in finding the most critical and dangerous vulnerabilities in customers’ digital assets and apps, giving them the insight necessary to prevent attacks.

ARS scores increase 23 percent from continuous testing

For organizations that regularly release updated code or deploy new apps, point-in-time securityanalysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.

Visit www.synack.com to download the report for free.

50% of UK universities have reported data breaches in last 12 months

960 640 Stuart O'Brien

More than half of UK universities reported a data breach to the ICO in the last year, while 46% of all university staff received no security training and almost a quarter of institutions (24%) did not commission a penetration test from a third party. 

That’s according to research conducted by Redscan on the state of cyber security in the higher education sector, based on an analysis of Freedom of Information requests.

The National Cyber Security Centre (NCSC) itself says universities are targeted by criminals seeking financial gain, as well as by nation state attackers looking to steal intellectual property. The Redscan report underscores the degree to which universities are an attractive target. It also raises concerns that many may not be doing enough to defend against the latest threats, particularly at a time when institutions are embracing remote teaching en masse and conducting world-changing research in relation to COVID-19. 

Defending against an incessant stream of phishing attacks remains a challenge of all universities, says Redscan. Several institutions reported receiving millions of spam/phishing emails each year, with one reporting a high of 130 million. Phishing attempts were described as being “endless” and one university disclosed that attacks had increased by 50% since 2019. 

Other key findings from the report include:

  • 54% of universities reported a data breach to the ICO in the last 12 months
  • A quarter of universities haven’t commissioned a pen test from an external provider in the last year
  • 46% of all university staff in the UK received no security training in the last year. One top Russell Group university has trained only 12% of its staff
  • Universities spend an average of £7,529 per year on security training, with expenditure ranging from £0 to £49,000
  • Universities employ, on average, three qualified cyber security professionals
  • 51% of universities are proactive in providing security training and information to students
  • 12% of universities do not offer any kind of security guidance, support or training at all to students
  • 66 out of 134 universities have Cyber Essentials or Cyber Essential Plus certification

Redscan CTO, Mark Nicholls, said: “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. 

“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches. 

“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.” 

“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.” 

CEOs ‘need technology in their DNA’ to ensure success

960 640 Stuart O'Brien

CEOs and executive leadership positions should be filled by people with technology career backgrounds, such as app or software development, if businesses are to be more successful, say the majority (69%) of business leaders in the UK.

Research conducted by VMware has found international recognition that elevating technology team members into leadership roles drives significant value for the entire organisation.

When identifying specific benefits, over one in four (42%) business leaders highlight improved efficiency across the whole organisation, a third (33%) recognise increased business performance and greater innovation potential, and more than a third (39%) better customer experiences.

Vanson Bourne, commissioned by VMware, interviewed 2,250 respondents in EMEA (including 450 from the UK) during March and April 2020. This consisted of 750 business decision makers, 750 IT decision makers and 750 app developers. All respondents were from organisations with at least 500 employees, across all private and public sectors, including, but not limited to IT, financial services, retail and wholesale, healthcare, education and government.

VMware says the findings sit against a backdrop of seismic disruption, where digital transformation – the way technology transforms or enhances business models – has been validated in helping leaders and their organisations adapt to fast-changing market dynamics, changing business models and employee mobilization.

During the pandemic, UK businesses highlight the benefits of modernised applications, for example, to enhance their performance and resilience. More than half (58% ) of respondents highlighted the role of modernised apps to enable employees to work remotely, and just under a third referenced their ability to continuously push updates in response to the changing landscape (31%), and ensure reliable uptime (35%). 

In fact, more than three quarters (81%) of app developers and technology leaders in the UK believe that without successfully modernising applications, organisations will not be able to deliver a best-in-class customer experience. This is echoed by the global executive community; more than 80% of whom believe that enhancing application portfolios will improve the customer experience, which is directly tied to revenue growth.

“Business leaders have never been at the helm of so much change, so those with an inherent knowledge of technology and an understanding of how applications can help them adapt to any market conditions and shape their future performance and resiliency have a real advantage. Indeed, three quarters of the world’s business leaders agree that a ‘technology inside’ leadership skillset will bring success,” said Ed Hoppitt, Director of Apps and Cloud Native Platforms VMware, EMEA. “From the tens of millions of people and students now working and educating from home, to banks being able to scale to provide significant revenue streams, to businesses and retailers looking at digital platform options almost overnight, this pandemic has driven a decade of digital transformation in a few months. 

“It is the ability to get these defining, business apps – that deliver information and services into the hands of users, where needed – that creates success and genuinely drives customer engagement.  Leadership with technology in its DNA combined with a software-enabled digital foundation to serve up these digital services is a winning combination.”

Ursula Dolton, CTO at British Heart Foundation, said: “Businesses risk missing a trick by not appointing C-suite execs with backgrounds in technology. It is no longer enough to simply invest in technologies, since their benefits to organisations go well beyond implementation. In order to get the most from these investments, it’s vital to deliver cultural change and strategic direction, a role best suited for leaders with an understanding of these platforms and the power to both respond to demand and enforce real change.” 

A competitive advantage, born out of the continuous development and delivery of new applications and services, is also reinforced by the findings – which reveal that high-performing companies in EMEA have a more efficient and effective development rate of applications. Two thirds (66%) of new applications make it through to production in high-performing companies***, compared to 41% within underperforming organisations, while 70% of application efforts make it to production in the planned timeframe in high-performing organisations, compared with just 41% in underperforming.

Financial services head to the cloud to escape security concerns

960 640 Stuart O'Brien

The financial services industry is accelerating its shift to the cloud, as it presses forward with digital transformation in the face of security concerns. 

That’s according to the Financial Services edition of F5’s 2020 State of Application Services (SOAS) report, which says 60% of surveyed organisations in the industry believe public cloud platforms will be strategically important for them in the next two to five years, up sharply from 49% in 2019.

It comes as 84% of financial services organisations execute on digital transformation plans, with three quarters saying the key driver is to increase the speed of new product and service deployment.

Cloud adoption is increasing even as security concerns remain widespread. While two-thirds of organisations are confident in their ability to withstand an application attack on premises, only 40% said the same when it comes to the public cloud. 

“The idea that financial services applications would be the slowest to move into the cloud has been clearly disproven,” said Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5.

“Instead we are seeing the industry go ‘all in’ on multi-cloud adoption as organisations seek to increase the pace of their digital transformation and more quickly deploy the applications that will deliver a high-quality customer experience. Ultimately, financial services organisations that face growing competition from digital challengers are turning to the cloud to meet the needs of customers who now expect a seamless fintech service.” 

As cloud adoption increases, the F5 research says financial services organisations are seeking to balance the innovation imperative with security needs.

Many are looking to open banking, which 47% of surveyed organisations (among the two-thirds of respondents who provide banking services) have either implemented or plan to do so. Within this subset, 68% are deploying API gateways to deliver innovation, allowing them to securely share data with partners and open APIs to public developer networks.

82% of organisations with open banking initiatives have published APIs to third parties, compared to 62% of those not engaged in open banking.

The reports says that in this context security remains a pressing concern, especially with 87% of organisations embracing multi-cloud environments, and 41% determining the type of cloud to support an application on a case-by-case basis.

Asked about the biggest challenges of managing applications in a multi-cloud environment, 59% of respondents highlighted the need to apply consistent security policies across all company applications, well ahead of migrating apps among clouds/data centers (32%), gaining visibility into application health, or optimising the performance of the application (both 26%).

Security clearly resonates as a priority for the entire industry. Over half of respondents named it as the most important characteristic of an application service, while financial services leaders ranked real-time threat analytics as their number two strategic trend, compared to number six across all industries. Three quarters of respondents said it is important to enforce the same security policies on premises and in the cloud.

Nevertheless, the industry fears that it lacks the capacity to effectively respond to threats, with 72% of respondents reporting that they face a security skills gap.

The importance of security is further underlined by the applications financial services organisations choose to prioritise. Among the industry’s top five app services deployed today, four are security-focused: common security services and SSL VPN (both deployed by 86%), WAF (81%, up from 77% in 2019) and DDoS protection (80%).

That is balanced by a focus on application services that underpin the effort to drive high-quality customer experiences: 80% of financial services respondents said they are deploying services such as load balancing, global server load balancing and DNS, compared to 75% globally. 

Looking forward, the industry is planning to deploy application services that will support greater adoption of public cloud and modern (cloud- or container-native) architectures. 42% expect to deploy SDN gateways or SDN WAN in 2020 (up from 34% in 2019) while 39% will deploy API gateways (up from 27%) and 35% Ingress control (up from 21%).

46% of financial services respondents identified Software-defined networking (SDN) as a strategically important trend for them in the next 2-5 years, up from 42% last year.