It is no secret that cybersecurity risks add complexities that often restrict the process of seamlessly carrying out banking transactions. However, this ongoing challenge raises an even bigger problem.
On one hand, banks need solutions that ensure confidentiality, availability and integrity of sensitive data. On the other hand, banks often fall into the trap of thinking that a set of solutions today will deliver them safely from the cybersecurity threats of tomorrow.
First things first. There is no one-size-fits-all solution. Each bank is different. Moreover, each bank has a different risk appetite than its peers; thus, the right controls for one bank will prove excessive for the next and not enough for the third. So the first thing that must be established by the board or by the chief executive is: what is the risk appetite of the organization?
Then, banks need to get a grip on business assets. What, exactly, are the things of value to protect and what are the threats against them? Is it a matter of protecting intellectual property? Customer data? Classified information? Reputation? Is it a question of physical security? Insider threats? In short, what does your bank's world look like and where are the threats coming from?
It is no accident that the National Institute of Standards and Technology framework for improving critical infrastructure cybersecurity leads with "identify" and not with "prevent." That is because it is very difficult to "prevent" a cyber attack. The sooner we get comfortable with that notion, the sooner we'll get to the real work of identifying, protecting, detecting, responding and recovering (the five NIST framework functions) when a cybersecurity incident hits.
Once you have identified what it is that warrants protection, the real work begins in applying the right controls. Remember: controls do things. In other words, they are not some abstract notion.
To be sure, a bank still should assess its ability to prevent an attack. There are four kinds of controls in all: preventive, detective, corrective and compensatory. A preventive control acts like a barrier to an attack. It hasn't prevented the attack, but it hopes to prevent an aspect of the attack just like the barrier on the street that aims to stop the runaway truck from hitting the building or a locked door. Another example of a preventive control is segregation of duties. Your systems administrator shouldn't know the database password, and the database administrator shouldn't know the systems password. Security awareness training is another excellent example of a preventive control.
Detective controls are easier to understand. They detect. They know the door has been opened (i.e. a motion detector) and they either close it or alert someone that the door has been opened. Other examples of detective controls include a system's monitoring applications, intrusion detection systems, and even anti-virus and anti-malware solutions.
Corrective controls fix or restore the environment. For example, applying the right security patches and upgrades is a corrective control. Restoring your data from backup is another corrective control.
Finally, compensatory controls are those designed to compensate for some of the damage. A disaster recovery site is a compensatory control. Cyber insurance can also be a compensatory control. Even a backup generator, a second set of servers or computers, or the ability to switch over operations to another country, are compensatory controls.
There are some solutions that span control classes. For example, an anti-virus/anti-malware solution can be a preventative control, a detective control and a corrective one all at the same time. Think about it like this: Exactly like in real life, you get your flu shot each year in hopes to prevent the onset of this year's flu strain. You hope that armed with the inoculation your body will detect the attack of the flu virus and will take corrective action keeping you healthy. Sometimes, however, the new strain is so different than the previous year's that you still end up in bed sneezing and wheezing away and turn to chicken soup to try to make life a little less miserable.
The right blend of controls for your organization depends on risk appetite, type of asset, type of threat, regulatory environment, budget and skillsets. You need to take all of this into consideration while developing your defense-in-depth cybersecurity strategy.
Chris Moschovitis is chief executive of TMG-emedia and co-author of "History of the Internet: 1843 to the Present." He is currently working on a book titled "How I Stopped Worrying and Learned to Love the Hackers." He can be reached at Chris.Moschovitis@tmg-emedia.com.