Businesses across the board are at greater cyber-risk today than ever before. For financial institutions, this is especially true, as they expand digital banking channels and ways to connect with consumers. But more fundamentally, all businesses are at greater risk of attack today because their attack surfaces keep expanding. Increased reliance on personal devices to access corporate systems and networks, coupled with the necessity to outsource security management, as well as some other critical functions, has put businesses in peril. Identifying risks and measuring the attack surface are the first steps toward blunting these attacks, for institutions of all sizes. Educating employees about cyber-risks needs to be a close second, and much more of a priority, as employees are the first and front lines of perimeter defense as well as the primary points of vulnerability. Third-party relationships need to be evaluated and rated for cybersecurity fitness with greater consistency and regularity. In this report, Javelin offers recommendations for how institutions can limit risks associated with a growing attack surface by, in part, by making their employee cybersecurity education more effective and more efficiently managing their third-party risks.

Key questions discussed in this report:

• How can organizations effectively use cybersecurity employee education to limit the cyber-risks posed by a remote workforce?
• What emerging risks do relaxed and loose bring-your-own-device (BYOD) policies pose?
• How does reliance on managed security service providers (MSSPs) increase cyber-risk?

This report was adapted from Javelin Strategy & Research’s May 2021 survey of cybersecurity professionals in the United States. Javelin Strategy & Research maintains complete independence in its data collection, findings, and analysis. The data includes responses from 507 cyber professionals across five industry verticals: financial services, IT, health care, retail, and telecommunications. Approximately 300 respondents came from financial institutions that fall within one of these four asset-size ranges: $500 billion and more; $100 billion to $500 billion; $20 billion to $100 million; and $1 billion to $20 billion.