During a recent presentation at the US Federal Reserve, the FBI noted that cybercrime is growing exponentially as web-enabled technology permeates every facet of our lives. For banks in particular, there is a great deal at stake – a breach in security can result in monetary loss, a fall in consumer confidence and irreparable damage to the brand. A good example is Zeus, a sophisticated and malicious piece of code that steals banking information by logging keystrokes on infected computers. When a hacker network repurposed Zeus to obtain banking credentials and hack into bank accounts, it managed to steal $70 million.
One challenge for banks in this area is that information security has traditionally been the remit of the IT department alone, with little or no 'airtime' at the executive or board levels. Without sufficient business support and stakeholder engagement, the result is that security projects can fall through the cracks, focus on the wrong area or address only parts of the problem.
Banks must challenge their traditional approach to information security by ensuring that cybercrime is on the corporate risk management agenda at the level of credit and market risks. Only by giving it this level of priority will information security be effective across the whole organisation.
Ensuring buy-in from key stakeholders
Buy-in from key stakeholders is essential for successfully implementing information security projects. Business stakeholders must be actively involved in the definition and oversight of projects to keep the programme on track and to deliver the desired results. For the programme to be adopted throughout the organisation, leaders must also ensure that all aspects of the programme – from initial asset identification to review of outcomes – are described in terms that make sense to the business, not just the technical teams.
Identifying the highest risk assets across the business
There is no ‘one-size-fits-all’ strategy for cyber security, especially if the attack is targeted at one organisation: a hacker looking to steal bank account details will take a different approach to one trying to compromise trading systems. It is therefore important for banks to develop a cyber security strategy that is tailored to its unique information assets and risk profile. The first step is to define the information assets and their importance to the business, considering factors such as the potential impact on operations, reputation and profit if those assets were compromised. The next step is to develop a realistic view of threats against those assets and the likelihood of exposure so as to prioritise efforts towards the assets with highest business risk. Complete protection is impossible, so a pragmatic approach may be to focus protection on the highest priority risks and rely on recovery and response contingencies for the lower risk assets.
Ensuring employees play their essential part in information security
When it comes to traditional risks like money laundering, banks and financial institutions not only use technology controls but also educate their employees extensively. Similarly in the case of information security, banks must recognise the people component and go beyond implementing one-dimensional, technology-focused IT security solutions to restrict potentially harmful behaviour and activity. The 2012 Verizon data breach investigation report says 97% of breaches were avoidable through simple or intermediate controls, including training and policies. Hence banks and financial institutions must focus on setting up practical, easy-to-follow policies as well as educating people on best practices and the importance of compliance.
Assessing and managing the risks from third-party handlers
As with monitoring counterparty risks for their key vendors, banks should manage cyber security risks arising from third party information handlers such as cloud service providers, legal counsel and email marketers who have access to the bank’s data. Last year, a cyber-attack on Epsilon – an email marketing firm that handles more than 2,500 clients – resulted in exposing customer email information of many top banks including Citibank, Barclays and J.P. Morgan and others. Banks must constantly review what information is shared with third parties and ensure that vendors have appropriate measures in place to prevent as well as to recover from cyber attacks.
To find out how we can help your organisation tackle the challenges of cyber security and manage information security effectively, please contact us now.