Downtime costs companies in the financial services industry $152M each year, according to Splunk’s new report, The Hidden Costs of Downtime.
After only one year since being introduced, the As part of this research, Perspectives had the opportunity to interview a CISO at a global financial services company. Read on for insights on downtime’s most costly consequences in the finance industry, its common causes, and much more.
Perspectives: Hello, and thank you for chatting with us today about the costs of downtime in the financial services industry.
Finance CISO: My pleasure.
Perspectives: Let’s kick things off with security. Could you describe some of the biggest security threats that cause downtime in the finance industry?
Finance CISO: The most significant threats we see are DDoS attacks. There are always external threat actors trying to generate malware or ransomware. Then, there are some incidents that are outside our control, like DNS poisoning and DNS errors.
We host most of our services ourselves. Still, we have noticed some system outages that are entirely unrelated to us but connected to third-parties or a mobile network outage over which we have no control but does impact our customers.
Perspectives: What solutions do you have in place to ensure security?
Finance CISO: We have multi-layered security products to defend us against DDoS attacks, which happen almost daily. I won't tell you what they are for discretionary purposes, but we have 100. We have multiple-layered DDoS products that sit out in the cloud, middleware, and edge.
Perspectives: Would you say threat actors have become more sophisticated or are now more proliferated?
Finance CISO: There's an argument that they're no more sophisticated than they were 10 years ago; they've just got a bigger kit, and more people are sitting with their fingers on the return key. They have faster machines. They have more sophisticated tools. One of our biggest risks isn't actually the front door. It's a third or a fourth-party service provider.
Perspectives: How do you guard against that? Do you have agreements with third-parties about their level of security? Do you vet them?
Finance CISO: We have a whole team doing two things. One is called TPRM, Third-Party Risk-Management, and then we also have the same team of people doing TPTRM, which is Third-Party Technology Risk Management. They continuously assess our supply chain partners, data sharing partners, and retail trading partners to make sure that they have an acceptable level of cyber posture on the bank.
Perspectives: What about ransomware attacks? If you experienced one, would you pay?
Finance CISO: As a company policy, we never pay ransomware. We could never even engage.
In the European Union and the U.K., paying a ransom to a third-party threat actor is a criminal offense. I think a similar piece of legislation is pending in the U.S. that actually makes the payment of ransomware a criminal activity.
Perspectives: When we consider downtime and all these threats, I'm interested in the importance of collaboration between security, IT, and engineering.
Finance CISO: If we have a significant incident, we have a task force — our technology and infrastructure team headed by our CTO. Of course, if a banking application fails, the phones light up, which means our customer service colleagues, who are used to taking 50 calls an hour, are now taking 350 calls an hour. We have to talk to our marketing team so that we can start getting messages out on social media, perhaps being open and honest about an issue.
Our regulatory team may have to report it to our regulator. We have our external comms team, internal comms team, and marketing department. Then, of course, the risk and fraud team monitors to make sure we don't suddenly get hit by fraudulent transactions.
Perspectives: Is that how you measure the cost of an incident? Based on the type of downtime and the resources needed to mitigate it?
Finance CISO: Yes. And downtime can also cause a loss of business. If we suddenly have a service incident, which means a major retail partner can't complete their finance agreements, and customers start clicking elsewhere, there's an absolute bottom-line cost of that loss of business because those customers don't come back.
It's the classic five-second rule: If you aren't satisfied in five seconds, you click away.
Perspectives: Does that mean that those costs — the downtime consequences that you calculate — are directly tied to revenue loss and profitability year over year?
Finance CISO: It's difficult to prove whether or not that sale was ever won back. We find that there isn't a sudden peak the day after because people defer their purchases.
Perspectives: It can be very costly, then.
Finance CISO: Observability is a great way to show when something is starting to wobble. A good sign that something's about to fall apart is when an API call that usually takes half a millisecond starts taking five seconds. You know something is wrong at that point. The customer may have tolerated that slight circle of doom for 30 seconds and blamed it on poor cell phone coverage, but, for us, it's a classic observation of when something's going wrong.What I'm looking for are tools that tell me that the train is in the distance, not when I can see the headlight coming down the tunnel. I need to know ten minutes before the impact, not ten seconds.
Downtime tips for any industry
How can your organization avoid the costly impacts of downtime? Here are a few handy tips!
- When rolling out new feature launches, execute them off-hours to affect the fewest customers possible.
- Recognize that addressing downtime is an evolving challenge. As environments and threats change, what works now may not in the future. Stay in the loop with emerging technologies and invest in ones that show the most promise.
- Staying ahead of issues is the foundation of resilience. A proactive approach to downtime will set your organization up for success.
To learn more about downtime’s unequal impact on industries and regions, download Splunk’s The Hidden Costs of Downtime report.