The nature of banking has changed dramatically over the years. Long gone are the days of in-branch banking and transactions. Thanks in no small part to the Covid-19 pandemic and the continued push towards a digital economy, banks have embraced digital transformation with a greater sense of alacrity. This is allowing them to streamline their operations, enhance their security, and provide customers with the services they need when and where they need them.
In the midst of this is the ongoing concern of cybersecurity and the ability of banks to effectively safeguard their data. The effectiveness of the cybersecurity program influences the safety of the customer's personally identifiable information (PII), whether from an unintentional data breach or a well-planned cyberattack.
The stakes remain high in the banking and financial services industry due to the financial sums that are at risk and the potential economic upheaval which follows should a compromise affect a bank or financial institution. The ripple effects are felt not only the locale of the affected institution, but within the ecosystem of its regulator and further afield based on the third-party relationships the affected institution maintains.
To this end, banks and financial institutions should “bank on security” by ensuring the basics are followed. The list offered below is not exhaustive but stands out for the author as critical for consideration:
Cybersecurity is no longer the “problem” of the IT or IT Security Department. It has become the most important topic for the Board after strategic planning and must be “owned” by the bank’s CEO or Managing Director and the executive leadership.
A defined and governed cybersecurity program starts with the tone set at the top of the institution, which filters down through the respective levels. Employees will model what they see happening above and around them. If cybersecurity is seen as important to the Board, CEO, and executive leadership team, it will be taken seriously by them. Further, if cybersecurity is seen as vital to the survival of the institution and is considered in the development lifecycle for products, services and other activities being positioned within the strategy of the bank, there is likely to be a higher level of success when tackling the ongoing issue of cybersecurity.
The best line of defense in cybersecurity is a well-trained staff. By ensuring staff are properly training, a people-centric security culture can be developed for the bank. While technology is still valuable weapon in the defense strategy to detect and prevent cyber-attacks and data breaches, they still require input from people. Security awareness training helps people make the most of the technology defenses to keep the attackers out.
Vulnerability management is the process designed to proactively identify, classify, remediate, and mitigate vulnerabilities in an IT infrastructure with the goal of reducing the overall risk to the institution. It is an important feature of a robust cyber security strategy and helps to drive the first line of defense.
An effective vulnerability management program reduces the threat landscape in order to reduce the attack surface and mitigate risk. Unfortunately, too many IT teams fail to proactively take this step as they are too busy addressing the operational issues with the Bank’s core applications, network, or day-to-day IT management
The purpose of the backup is to create a copy of data that can be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.
Within the realm of cybersecurity, data backups are essential because they can help protect against cyber-attacks. By having a data backup, the organization can restore its information and get back up and running quickly if an attack occurs. This is especially important for businesses whose operations depend on access to digital data.
A well-planned strategy should include measures that prevent or mitigate the risk of malicious actors. For example, using strong passwords, two-factor authentication systems, limiting user access with roles and permissions, implementing firewalls and anti-virus software, and others all work together to keep networks secure.
Cybersecurity and privacy risks are present when a third-party vendor has access to your sensitive organizational or customer information. Failure to manage those risks can result in data breaches, cyber-attacks, and the misuse of customer data. The third-party stakeholders to a bank and financial institution could range from the Regulator with whom key data is shared on a continuous basis, the managed services provider being used to help manage critical infrastructure, or the contractor that handles the janitorial services.
Third-party risk management is important because third-party cybersecurity risks are both common and extremely damaging. According to Crowdstrike’s Global Security Attitude Survey done in 2021, 45% organisations said they experienced at least one software supply chain attack in 2021.
Supply chain attacks are increasing by a whopping 430% as per the same report. A supply chain software attack is one where malicious code is injected into an application that is used by others, thereby infecting all the users. The impact of such attacks is huge.
One of the biggest and most damaging cyber-attacks in recent times, the SolarWinds cyber-attack, is a prime example of a supply chain attack. Malicious code was injected in the software’s build cycle thereby infecting all its customers including some of the largest business houses and most prestigious government agencies.
This supply chain attack truly opened everyone’s eyes about the importance of managing third-party risk. Interestingly, however, many organisations that did suffer a supply chain attack in 2021 did not have any attack response strategy in place.
An effective incident response plan to critically vital to the success any bank or financial institution seeks to have when faced with a moment of crisis – regardless of whether this is a cyber-attack, data breach, or some other form of manifested risk. As the old saying goes, “if you’ve failed to plan, you have planned to fail.” This couldn’t be truer in today’s climate where it appears we are faced with cybersecurity threats and attacks daily.
Incident response planning outlines how to minimize the duration and damage of security incidents, identifies stakeholders, streamlines digital forensics, improves recovery time, reduces negative publicity and customer churn.
A reactive, disorganized response to an attack gives bad actors the upper hand and puts the business at greater risk. At worst, the financial, operational, and reputational damage from a major security incident could force an organization to go out of business.
On the other hand, a cohesive, well-vetted incident response strategy that follows incident response best practices limits fallout and positions the business to recover as quickly as possible.
This is a very important basic that banks and financial institutions must get right.
The six basics offered for consideration above are not the end-all/be-all for banks and financial institutions. They serve as a starting point for institutions to evaluate themselves and ask the hard questions – “Have we considered everything that could go wrong?” “Have we taken the time to manage and master the basics which was under our control?” “Are we prepared?”
It is these basics that most often make the difference for the cybersecurity posture of any financial institution.
When in doubt, and for more guidance, reach out to an expert firm to help your institution properly align itself. This could be the major step needed to help you stay ahead of the threats.
About the Author
David Antonio Green is the Vice President, America and Europe, and Strategic Partnerships at Hitachi Systems Security Inc. They help organizations of all sizes and across all industries confidently address the threats brought about by today’s cyber threat actors by focusing on keeping the message and approach simple for organizations to master the basic fundamentals to ensure they have a solid foundation to improve their cybersecurity posture and maturity.
Join the next monthly discussion on August 25th with industry experts about cybersecurity best practices by registering here [email protected].
For more information about the author or the article, email the author at [email protected].