Banks play dangerous game preferring threat mitigation to prevention

A recent survey by Kaspersky Lab, in partnership with B2B International, has revealed a worrying approach to cybersecurity from a significant proportion of financial companies.

The report found that 48 per cent of financial organisations, including banks and payment providers, take security measures that aim at mitigating the damage caused by online fraud rather than preventing it entirely. In addition, 29 per cent of firms surveyed believe that it is cheaper and more effective to deal with fraud once it has occurred.

Read more: Why companies must be active in detecting security flaws

Even more concerning was the revelations that many financial companies are not learning from previous mistakes. Only 41 per cent said that they put in place the necessary security protocols to prevent an incident re-occurring. Just 36 per cent attempt to find the vulnerability that was exploited, while 66 per cent said that they prefer to investigate who was responsible for the cyberattack, making it the most popular policy.

According to Kirill Slavin, managing director for the UK and Ireland at Kaspersky Lab, the policy of mitigation rather than prevention is a dangerous one.

“It is vital for organisations to consider the importance of prevention, rather than waiting to mitigate the consequences,” he said. “Many leading banks have already implemented this method with ‘root cause fraud prevention’, however, there are still some who rely on a ‘reactive fraud detection approach’. With cyber-criminals continuing to invent increasingly sophisticated methods of attack, banks need to have preventative measures in place, otherwise financial cybercrime and consequential losses will only grow.”

Read more: Japanese banks hit by new Trojan ‘Shifu’

Financial institutions are instead advised to implement comprehensive security measures at several levels in order to protect clients from fraud before it takes place. As well as installing threat control tools on the server component of the bank’s infrastructure, they should also be present on client devices.