Banks: Common Cybersecurity Mistakes
“Data is the new currency” is one of the new slogans of the digital transformation. Modern consumers recognize the value of their data, and 67 percent are willing to share more data with banks in exchange for new benefits. Surprisingly, banks don’t always afford sensitive data the same protections they do for physical currency. While PwC’s 2017 Risk in Review report reveals that the financial services industry has strong cyber risk maturity overall, there are a few common mistakes that could be leaving your institution vulnerable. To give you an idea of the gravity of these errors, think of your cybersecurity practices in terms of cash management and physical security.
Easily hackable encryption methods
- Blowfish
- 3DES
- SHA1
- MD5
Transmitting Unencrypted Data Is Like Sending Unsecured Bulk Cash Shipments
Would you ever transfer a bulk cash shipment to a major customer without using their armored carrier service? Not a chance. You know that that decision would not only be a liability for your institution, but it would also put your customer’s assets at risk and breach their trust.
Unfortunately, banks don’t always provide the necessary protection for sensitive data that customers expect. Data must be securely encrypted in transit and at rest, but 30 percent of FIs say they struggle to protect personally identifiable customer information. Many banks use easily hackable encryption methods such as Blowfish, 3DES, SHA1, and MD5. Instead, use an advanced encryption algorithm such as AES.
Giving Unvetted Vendors Access to Data Is Like Handing Cash Over to an Unverified Armored Carrier
Going back to the bulk cash shipment scenario, imagine handing over currency to an armored carrier guard without first verifying their identity. This is an egregious security violation, wouldn’t you agree? Yet when it comes to sensitive data, many banks fail to vet third-party vendors they allow to access the sensitive data in their care. In fact, 41 percent of financial services respondents ranked assessment of security protocols and standards of third-party vendors as the top challenge to information security efforts.
The FFIEC’s guidelines for outsourcing technology services recommend a “comprehensive outsourcing risk management process to govern technology service provider (TSP) relationships.” Make sure you work with vendors whose operations are regularly examined by a third party. This ensures the vendor’s risk management and information protection practices adequately address data confidentiality and regulatory compliance.
Disregarding Network Alerts Is Like Ignoring Your Vault Alarm
Would you be appalled if your vault alarm went off and your staff members ignored it? In a way, that’s what is happening with cybersecurity alerts. Institutions are only able to investigate 56 percent of security alerts they receive on a given day. Of those, only 46 percent of legitimate alerts are remediated. Granted, security operations managers see more than 5,000 security alerts per day — exponentially more than you’ll ever receive from your burglar alarm. However, the lack of resources for monitoring alerts is concerning.
With there being a security talent shortage, outsourcing can help your institution meet its overall strategic plan and corporate objectives. The FFIEC has specific guidelines for using a managed security service provider (MSSP). You might also consider using a fully managed cloud vaulting solution to move critical data off-site to protect yourself against ransomware.
Assuming Employees Know Cybersecurity Best Practices Is Like Expecting Them to Know Your Physical Security Policies Without Training
When hiring a new employee, what if you assumed they knew the proper cash handling guidelines, how to handle a holdup situation, or how to respond to an active shooter event? That’s a disaster waiting to happen. Chances are, you invest countless hours on training employees in these areas. Even if someone has experience in the financial services industry, it’s imperative to make sure they understand your institution’s specific policies and procedures.
Unfortunately, training is one of the biggest cybersecurity challenges in banking. In fact, less than half of financial services organizations polled even have a formal information security policy. To reduce the risk of cybersecurity threats, it’s critical to create a security culture. The FFIEC recommends annual security training to reinforce guidelines for endpoint security, login requirements, and password administration. The training should include the following three increasingly common scenarios:
- Phishing and social engineering
- Data theft through email or removable media
- Unintentional posting of confidential or proprietary information on social media
Improving your cybersecurity practices is not only the right thing to do, but the FFIEC, Gramm-Leach-Bliley Act, and other regulatory agencies and regulations require it. If you’re unsure where to start, the FFIEC Cybersecurity Assessment Tool is a helpful resource for assessing your bank’s cybersecurity maturity.