Welcome to 2017! It’s a new year, but we are dealing with the same old cyber-security problems. The focus this year for all CIOs should be on mitigating all cybersecurity risk for the banks we serve. Cybersecurity threats continue to grow and our ability to protect ourselves and the banks we support continues to be as important as ever. Technology leaders have an obligation to our banks and its customers to ensure that data and money are safe from theft. A successful cyber-attack, breach or hack not only affects the customers of a bank but a smallto-midsized bank may not be able to weather the negative impact to their brand if an attack occurs.
“Technology leaders have an obligation to our banks and its customers to ensure that data and money are safe from theft”
I can say with 100 percent confidence that there is a tremendous amount of cyber-risk, based upon some very newsworthy cyberattacks from 2016, which included the DDoS attack on DNS service Dyn in October 2016 that disrupted web services nationwide, the Yahoo breach affecting one billion users and the Democratic Nation Committee email hack that may have cost Hillary Clinton the election.
What has this Taught us?
What we all need to learn from these ongoing attacks is that nobody will protect you or your bank but you. The US government currently does not seem to have the ability to prevent a cyber-attack and cannot protect the information of the government or its people. In 2014, approximately 18 million records were stolen from the Office of Personnel Management. Internet Service Providers and telecommunication companies should be able to protect customers and their own infrastructure from attack but they cannot. Many technology manufacturers of “connected” devices allow their devices to be implemented in an insecure manner, which when hacked become part of the army of zombie devices involved in DDoS attacks. If any of these organizations are taking actions to protect businesses, our financial institutions and the American people, I am just not seeing it.
In a perfect world, what should be happening? There should be a cyber-army defending our virtual boarders and launching counterattacks on any group who tries to hack, breach or otherwise disrupt technology services. Telecommunication companies should be blocking and stopping the majority of attacks at the edge of their environment.
What does this mean to you, the CIO of your bank? Nobody is coming to help. Nobody will save the day but. I know that it sounds bleak but it is the reality. So, with all this bad news, what can be done? Let’s start by acknowledging the risks and take the appropriate steps to secure our externally facing technology, our internal technology, and make sure our vendors are equally secure.
The first tangible step that needs to be taken is the extreme risks need to be explained to the Board of Directors and funding obtained to properly secure the operating environment. Nobody is immune from threats and nobody thinks they will be a victim of a hack or breach until they are. After the business buys in, the following steps and methods will increase your bank’s resiliency and help mitigate most cyber-related risks.
A cybersecurity program that is aligned with an industry standard like NIST or ISO 27001 is the foundation of any program as it provides the guidance and best practice of system security. The cyber-security program is an input into the creation of associated policies, procedures, and processes.
Formal security training for employees that occurs yearly is a cornerstone of any cyber-security initiative. Ongoing reminders of industry trends are crucial. Our employees are our first line of defense and at the same can be the weakest link.
The Backup Plan
Redundancy is key. Redundancy means having a secondary technology that operates in the same manner as your primary technology that can be used in the event of an attack. Circuits are one type of technology that should have redundancy. If one circuit is attacked and unusable due to a cyber-attack, a secondary circuit from a DIFFERENT telecommunications provider will help. A secondary DNS provider allow DNS requests to be served (and would have mitigated much of the damage caused by the attack on Dyn in October.) Most costly but most important is redundant datacenters with real-time failover and data replication will allow your business to continue to operate if a catastrophe occurs. When the 9/11 terrorist attack on the World Trade Center occurred, Lehman Brothers’ datacenter in the area was destroyed. Lehman had the ability to continue operations due to the redundant datacenter. I also include daily data backups under redundancy.
A robust email filtering system will block many if not most attacks. So much malicious content comes in through email and a good email filtering system will prevent those emails from getting to employees. The attack on the Democratic National Convention was due to a breach via email. Enable advanced filtering and do NOT ever use Gmail for work purposes.
Third-party risk assessments, security assessments, and penetration test that analyze the type of business and the security of the environment help identify areas of risk. This in turn allows banks to focus resources on resolving areas of high risk. You can’t manage what you don’t measure.
The IT security team needs to be staffed appropriately and have the right tools to protect the business including firewalls, intrusion detection, and prevention, logging platforms, antivirus, anti-malware, encryption tools, etc.
Physical security should not be overlooked. Cameras, locked doors, clean desk policy, and paper-shredding need to be implemented.
Finally, a Cybersecurity Insurance Policy will protect your company from legal damages if hacked and will cover the cost of stolen money.
In conclusion, there is no entity that will protect your bank from attack. The government, ISPs and technology manufacturers are not able to protect your bank, which is why there is so much regulation. As technology leaders we must do everything in our power to ensure a stable, reliable and secure technology environment. We own it and we must make cybersecurity the top technology priority of 2017.