As cyber-attacks occur around the globe at an alarming rate, many criminals continue to set their sights on banks and credit unions as the grand prize. In fact, one report from Boston Consulting Group (BCG) estimates that banks and credit unions are 300 times as likely as other companies to be targeted by a cyber-attack.
Despite these figures, many financial services institutions are under-equipped to respond effectively to an attack and prevent fraud. A BAI survey of financial services leaders found that nearly one in four believe the greatest fraud risk is hacking and potential access to account information, credit card databases and other sensitive information.
Additionally, in a Deloitte survey financial services leaders ranked “rapid IT changes and rising complexities” as their number one cybersecurity challenge — a challenge that did not let up during the pandemic. With the sudden acceleration in digital channels throughout the pandemic, financial service security teams must be more agile and pragmatic in how they work to prevent data breaches.
Leaders must also prepare for the industry’s “next normal,” which will likely entail many employees continuing to work from home throughout the COVID-19 pandemic and likely to some degree afterwards. With these goals in mind, here are three cybersecurity actions banks must prioritize.
- Minimize work-from-home data leaks — In response to the pandemic, many employees in the financial services industry shifted to working from home. However, this sudden change resulted in employees sometimes sharing sensitive customer data on insecure networks, which heightens the risk of fraud. Businesses can prevent data leaks by requiring employees at home to use a virtual private network or VPN, which creates a secure pipe between an employee’s endpoint, such as a laptop or a tablet, and the organization’s IT systems.
Other common cybersecurity shortcomings businesses must address include employees failing to change the default password on their home router, neglecting to block guest access, not encrypting their home networks and using home printers for bank business, which creates security risks for those printed files. Banks must invest in training employees on the proper work from home cybersecurity behaviors, as well as how to recognize fraud. Creating an organizational culture of data-security consciousness will help reduce the security risks of today’s complicated operating environment.
- Address the risks of open banking — The concept of open banking is built aroundapplication programming interfaces, commonly referred to as APIs, which allow financial services organizations to connect their systems with other businesses and consumers, transfer information and expand their breadth of services. For example, a bank can integrate their online banking platform with a third-party budgeting app that can help consumers better control their finances.
The challenge with these integrations, however, is that it creates a vast, connected ecosystem that complicates traditional cybersecurity strategies. For instance, a weak point within the system — be it a partner of another partner that may have gotten hacked - potentially exposes a bank to risks. This means financial services leaders must carefully vet the security of their partners and vendors. All partners within an ecosystem must have complete trust in the ability to securely share information.
- Shore up endpoint vulnerabilities — From smartphones and tablets to PCs and servers to ATMs, a financial services organization has thousands or even hundreds of thousands of points of vulnerability. Unfortunately, just about every breach scenario involves one of these points’ vulnerability, meaning banks must prioritize endpoint scanning and malware detection. For example, if a criminal is able to hack an ATM that is connected to the bank’s network, it can potentially gain access to the rest of the financial network and cause an even greater amount of damage.
While banks of all sizes remain targets, criminals are increasingly eyeing small to medium-sized banks and credit unions, which may have fewer resources to detect or block an attack. That’s why there must be an industry-wide focus on strengthening the defenses of all endpoints. One Deloitte survey estimates cyber monitoring and operations, endpoint and network security, and identity and access management collectively received about 53% of the security spending pie. However, this budget allocation remains largely consistent despite the recent dramatic shift to remote work.
A breach or the risk of having data locked up or ransomed presents not just a potential loss of financial assets, but also a risk of losing customer confidence. Financial services institutions must build a multilayered security approach that prioritizes security training, creating a culture of cyber resilience, investing in security talent and resilient IT infrastructure, and deploy predictive analytics to better anticipate future attacks.
Additionally, banks and credit unions must work together with strategic partners, government agencies and members of the security community to thwart cyber criminals together. By prioritizing and reinvesting in cybersecurity, banks will be better equipped to ward off attacks and adapt to the constantly changing threat landscape.
Monica Hovsepian, OpenText’s senior global industry strategist for financial services