Bank cybersecurity may need a new mindset
Silos don’t just make a bank dysfunctional. They can also make it more vulnerable to cyberattacks.
So say security experts who find the lack of standardized, centralized procedures for cybersecurity at many banks alarming. According to a study released last month by Cisco Systems, only 48% of financial services organizations polled even have a standardized information security policy.
“One thing that would help is taking a different perspective and view on IT infrastructure as a whole,” said Demetris Booth, a cybersecurity evangelist at Cisco. “You still have a lot of organizations out there that look at protecting specific assets [in different ways] and viewing cybersecurity as one specific department,” instead of something embedded into the whole organization. This should also involve giving the chief information security officer a larger role within the organization, he said.
The good news is some financial institutions are starting to operate in this manner. For Webster Bank in Waterbury, Conn., cybersecurity “is a team sport,” said Larry Selnick, director of treasury and payment solutions sales at the $26 billion-asset bank.
“Our chief information security officer is ultimately responsible for the security of the bank's information and our customers' information, [but] he works in partnership with our IT staff, lines of business, vendors, and customers to make sure that we mitigate risks efficiently and effectively,” Selnick said. “It is essential to design security in from the start of every project, even before implementation starts — security needs to be a partner from the moment the business starts to define its needs for any new system or process.”
It’s crucial that cybersecurity not be relegated in a corner to be dealt with by one department or one person, he said.
“It's important to involve partners such as CPAs, legal, and yes, even bankers to sort through options and best practices,” Selnick said.
Many banks, especially smaller ones, still don’t embrace this mentality, said Joram Borenstein, vice president of marketing and partnerships at NICE Actimize, a consulting and technology firm.
“A couple years ago this wasn’t even a board level topic,” he said. “Now, you are starting to see some banks put someone with cybersecurity expertise on their board. It’s slowly starting to change.
Too many banks still regard cybersecurity as something to be handled by the CISO and compartmentalized, Borenstein said. “They have to take a more proactive and predictive approach,” he said.
Another issue is that banks — especially smaller ones that lack the resources of large global banks — often miss potential cyber threats due to a complicated mix of security vendors and products that obfuscates threats instead of providing insight, said Franc Artes, a security business group architect at Cisco.
“One of the problems we see is the use of multiple vendors and solutions as banks take a best-of-breed approach, and they end up with technologies that don’t always work together,” he said. “You end up with someone manually aligning things together.”
This can lead to a lot of things slipping through the cracks; according to the Cisco cybersecurity report only 55% of cyber alerts are investigated by financial services organizations. Of firms surveyed, 28% of the investigated threats are considered legitimate—yet only 43% of those legitimate threats are remediated. (Cisco surveyed 509 financial services organizations this year for the report.)
Another issue is budget and staffing. Despite the priority banks give to cybersecurity many — especially small to midsize banks — don’t have enough resources to throw at cybersecurity, Artes said.
The promise of APIs
Application programming interfaces and open architecture can help with some of these issues. With more vendors writing open protocols, the problem of complicated vendor and product relationships can be resolved more easily, Artes said.
“With lots of different vendors, you have to make sure the tech talks to one another,” he said. “Luckily, many vendors are now embracing an open ecosystem.”
Interoperable technologies can also help banks detect cyberattacks that use sophisticated, seemingly random patterns, said Mark Gazit, CEO at the cybersecurity company ThetaRay.
“Today’s attacks are massive, built on microtransactions and are difficult-to-almost-impossible to discover,” he said. “People don’t come in to a branch with a gun anymore; they steal one dollar [digitally] a million times. And each one of those transactions on its own looks legitimate.”
Banks need technology that “looks at all the parameters … and connect all the dots,” Gazit said, which in turn will free up overwhelmed security analysts to do more analytical work.
“Humans can then deal with the interpretation of events instead of trying to find the events,” he said.
Using technology to detect seemingly random events will only become more important, as the bar to entry to becoming a cybercriminal is becoming lower every day, said Cisco’s Artes.
Mirroring the trends in consumer technology in recent years, the necessary tools to commit cybercrime are easy to use, cheap and not very difficult to find, he said.
The technology “is cloud-based and automated; you don’t even have to figure out how to install the software, it’s sold as-a-service,” Artes said.
Banks, he said, currently “have overwhelmed defenders, and not enough people. They need to change the mindset of how they approach cybersecurity.”