Cybersecurity has been cited as a top focus for federal and state bank regulators, even as cyber staffing challenges escalate. Consider these sobering facts:
There’s no question banks have many challenges to work through. And as complex and fast moving as the cybersecurity landscape is, miscues commonly occur on the path to getting things right.
These five mistakes that banks make burn dollars and, unfortunately, reputations:
1. Believing cyber breaches can’t or won’t happen to you
It’s tempting to consider your bank as safe. But all the data suggests it isn’t and that risks are escalating. Banks would do well to heed the advice of the first man on the moon. About the process of making space missions as safe as possible, Neil Armstrong liked to say, “We tried very hard not to be overconfident because when you get overconfident, that’s when something snaps up and bites you.”
Too often community and regional banks believe they aren’t as vulnerable to cyberattacks simply because they aren’t large enough. Others reason that they’re safe because they haven’t experienced a breach—or at least one they know about. Research firm Gartner has noted generous time lags between a breach and its detected impact. As John Chambers observed when he was CEO of Cisco, “There are only two types of organizations: Those that have been hacked and those who don’t know they’ve been hacked.”
Regardless of an institution’s size, bank CEOs and boards are held accountable for cybersecurity and cyber compliance practices—and increased regulatory pressure applies to all. Meanwhile, progressive banks of all sizes realize that their cybersecurity investments shouldn’t hinge on their beliefs about being hacked.
Rather, their responsibility is to provide clear evidence to regulators, examiners and the board that they’ve taken the right cybersecurity steps, and that effective processes and controls are in place. To that end, they invest in systems that enable real-time access to data that proves they’re doing the right work: displayed in dashboards and charts non-experts easily can grasp.
2. Believing only “critical systems” must be covered
Traditionally, cybersecurity solutions and outsourced services are priced by the number of systems covered, the volume of data ingested and stored, or both. As systems join the infrastructure, cybersecurity coverage costs rise.
To keep costs in line under this pricing model, vendors encourage customers to cover only “critical” systems. But in banking, unlike other industries, all systems are “critical” as they represent potential pathways for bad actors. Leaving some uncovered creates vulnerabilities and can make it harder to investigate incidents.
Predictable, affordable cybersecurity cost models that cover all systems would better serve banks. Cloud-based solutions generally offer more capacity and flexibility at a better price point than onsite tools, especially when factoring in the cost of in-house resources to configure and manage those tools.
3. Failing to link cybersecurity and cyber compliance
With cybersecurity named a top priority by federal and state banking regulators, it’s paramount to prove your financial institution complies with cybersecurity regulations and guidelines.
Most tools and outsourced services are designed to serve multiple industries. As such, they don’t map banking cybersecurity controls, activities and audit trails in alignment with the Federal Financial Institution Examination Council’s Cybersecurity Assessment Tool (the FFIEC-CAT). If your cyber compliance processes don’t link to supporting cybersecurity data, it can be difficult and expensive to prove your controls work, and respond to audit requests and support exams.
A cybersecurity solution built specifically for banking, with cyber compliance as part of the design, creates the connection between control processes and data-backed effectiveness. Using the same system to create visual dashboards and reports cuts the time and resources needed to meet exam and audit requests.
4. Believing tools are enough to achieve cybersecurity and cybercompliance
Gartner notes that, “Securing information has become less about having firewalls and policies, and more about complex interactions among people, machines and processes.” Achieving and sustaining cyber safety and soundness requires not only technology but also people, processes, policy, and if possible peers to provide insights.
Many banks mistakenly believe a Security Information and Event Management (SIEM) tool is sufficient, only to find their teams drowning in alerts that go uninvestigated because of resource constraints. As the internal environment and cybersecurity landscape evolve, shortages of time and on-staff talent to keep tools tuned up often lead to suboptimal use—and eventual shelfware.
Other banks outsource cybersecurity to a Managed Security Service Provider (MSSP) only to find lost visibility and control over their security posture. Also, the structure of a multi-industry MSSP will treat a regional or community bank much like a small-to-medium-sized business, while regulatory expectations demand cybersecurity on par with a Fortune 1000 company. Such disconnects between tools and human understanding can be frustrating.
A co-managed model puts your team and a supplemental outside team on the same technology system to analyze, prioritize and investigate issues. The added bandwidth and expertise comes without sacrificing visibility and control. When the provider focuses on banking, this model also draws on the experiences of other banks to draw on a deeper understanding of relevant threats.
5. Failing to engage C-level executives and boards of directors in cybersecurity
Bank executives and boards feel increasing pressure to meaningfully engage in and account for cybersecurity and cyber compliance effectiveness—regardless of an institution’s size. But too many banks still think cybersecurity is “the IT department’s job.” Executives and board members in this scenario cannot weigh the delicate balance between investment and exposure that cybersecurity demands.
Regular reporting to the executive team and Board of Directors should cover three core knowledge areas:
- Security control effectiveness. Knowing how well a bank is equipped to defend against threats requires understanding how the bank measures cybersecurity effectiveness.
- Cybersecurity investment implications. Information security officers should ensure executives and board members understand changes in the cyber threat landscape not covered by existing investments, and the cost/benefit/risk equation of covering them.
- Cybersecurity impact on risk management. When identified cybersecurity risks aren’t fully mitigated, implications for the bank’s overall risk should be explored and understood.
Putting it all together: Cybersecurity done right
Staying ahead of “bad actors” can seem daunting given the increasing complexity and frequency of cyberattacks and shortfall of cybersecurity professionals.
Avoiding an overconfident “we’re fine” viewpoint and other common cybersecurity mistakes is easier when bank IT and executive teams collaborate to understand and mitigate cybersecurity risks.
Working with a banking-focused provider of cybersecurity and cyber compliance solutions also can broaden insights. Effective, affordable options make modern cyber protection, as well as improved compliance, available to even the smallest banks. For even the smallest banks can face the biggest of threats, and for big banks, no threat is too small.
Want more Banking Strategies? Sign up for our free newsletter!
DefenseStorm CEO Sean Feeney is a 30-year technology veteran who has shaped strategic direction and high-growth performance for a variety of companies.