Responding proactively to cyber threats
Opportunity for one doesn’t always mean opportunity for all, but unfortunately, it does in banking. While mobile banking opens up a wonderful world of convenience for consumers, it does the same for would-be cyber criminals.
Consider the idea that our smartphones may soon act as contactless credit cards or allow us to carry out transactions through Facebook. These are, no doubt, exciting possibilities, but for a less savvy consumer, giving away his personal financial information could be as simple as having his phone pickpocketed or lost. And if the device doesn’t have key-code access, a thief has already avoided a layer of security.
Banks are working hard to keep pace with changing mobile technologies, offering their customers increasingly efficient ways to access their accounts and pay for goods. But the reality is that same technology could be moving too fast for consumers. It’s easy to download the latest banking app and start managing their money from anywhere, but it’s not so easy to understand and mitigate the risk that comes with doing so.
The Triple Threat
Security has always been a concern for banks, but with mobile taking over the way people conduct their lives, it’s more pressing than ever. Bank databases are especially lucrative marks for thieves because they grant them access to so many other sites. Consumers’ bank accounts are often directly or indirectly linked to eBay, PayPal, Amazon and Google Wallet.
We’ve already seen security breaches with Apple’s iCloud system and Sony’s PlayStation Network. If thieves can hack into these systems, they can certainly access millions of consumers’ financial information. Banks should be worried about cyber theft for three main reasons: the financial incentive to go after a bank is strong; the growing number of potential online access points makes it easier for thieves to find a way in; and cyber theft can have a massive impact on consumers and banking institutions.
These elements make bank security more urgent than other industries. Think about it this way: Criminals are less likely to organize into a well-resourced syndicate with the sole aim of hacking into millions of Tinder accounts than they are a bank’s database. What would be the point?
The triple threat from thieves also carries triple the consequences. Banks that fall prey to cyber attacks are vulnerable to a reduction in long-term profits and sustainability, reputation loss, and even prosecution as a result of large-scale fraud caused by negligence surrounding data security. On top of that, customers who are exposed to theft may lose confidence in online banking security and reject those opportunities altogether.
Here are four ways banks can protect themselves and their customers:
Employ more proactive systems. Beyond the conventional and adversarial threat-modeling approach, introducing a defensive perspective adds an extra layer of security because it’s more proactive. Rather than simply patching security gaps after a system is in place (adversarial), why not identify potential threats and build countermeasures before deploying the system? Paul Asadoorian of Security Weekly suggests using adversarial techniques in a defensive way: deploy a three-pronged defense that annoys the attacker, identifies the attacker and attacks the attacker. Seeking prevention, rather than a cure, should be the ideology.
Create a dynamic chain of command. Rather than having the chief information security officer (CISO) report to the chief information officer (CIO) of the bank, have the CISO work across all departments to ensure that security functions are strong and effective throughout the bank. Too often, the CISO is limited to working with the IT department. Make better use of his expertise and authority to fill in security gaps enterprise-wide. And particularly ensure collaboration between the fraud and IT departments. These teams have valuable information to share with each other about security holes and risk prevention.
Focus on customer awareness. Deploy the marketing and communications teams on consumer awareness campaigns, educating customers about their own information security and how they can protect themselves. Banks, for example, should offer security messages written in plain English that suggest helpful actions like changing passwords regularly, avoiding logging into online banking on public computers, having long and random passwords and always locking mobile phones via a passcode.
Some of these messages are obvious and trite, but their delivery is what needs to be improved. Banks might consider introducing a cohesive security awareness campaign into their annual marketing strategies, which would really drive the message home for consumers who would view the messages repeatedly. Yes, it’s an added cost, but the savings in prevented security breaches would likely be worth the investment.
Collaborate with third-party security firms. The old adage “he’s a jack of all trades, master of none” seems fitting here. With the best of intentions, in-house efforts may not cut it – simply because security will not necessarily be a specialized area of expertise for generalist technology professionals. Bringing in third-party security experts avails your bank of the knowledge these experts use, day in and day out. Their knowledge and experience should be leveraged to develop or provide specialized online security software and an extra layer of protection for customers.