Are banks too confident in their cybersecurity protections?
Confidence is rising as the number of attacks continues to grow
INSIGHT ARTICLE |
Financial institutions have invested a significant amount of time and resources into developing their cybersecurity resiliency, driven by increased executive, regulatory and customer demands. However, with the growing number and severity of potential cyberthreats, are institutions too confident in their existing protections and controls? The perception of threats and breaches is changing for many banks as their risk strategy shifts.
The 2019 RSM US Middle Market Business Index Cybersecurity Special Report showed a potential disconnect between the confidence middle market executives have in their current cybersecurity measures and the rising number of incidents. In the survey, 93 % of respondents claim that they are confident in their organization’s measures to safeguard sensitive customer data or their own environments. While the number of reported data breaches has actually tripled in the last five years, the level of confidence continues to rise.
This data seems to point to a false sense of security and thinking “it can’t happen to us,” but that may not always be the case. In fact, many institutions are more accepting that an incident is inevitable with the persistence and reach of hackers and cybercriminals.
We have seen a shift in both strategy and psychology within institutions. Over the last few years, the focus of many institutions has changed from working to make sure a breach doesn’t happen to reducing the impact of an incident if it does happen. Banks certainly want to have strong protective measures to discourage threats, but now, response and mitigation measures are just as, if not more, important.
All banks should be concerned about a significant incident, but an event similar to the recent massive Capital One breach is a rarity in today’s environment. Instead, breaches are typically smaller incidents that expose some customer or sensitive information, but are quickly contained. While we are seeing more breaches, the silver lining of the statistics is that institutions are able to catch them quicker and keep them better isolated before they can spread and caused more damage.
Institutions are spending more than ever on cybersecurity; even a very small bank could spend over $100,000 a year, and larger banks are spending much more. However, banks cannot feel good because of how much they are spending. Instead, they need to know they are spending the right amount, implementing the right controls and doing the right things to protect the institution.
Some banks can reach a point where they feel secure and stop spending—in the current environment, that cannot happen. Cybersecurity should be a continual and evolving effort within an institution, and maintenance spending needs to happen to stay up to date and keep the institution as secure as possible.
In addition, reducing cybersecurity focus can have an adverse effect on internal personnel. If a bank has an effective chief information security officer (CISO), or other strong security resources, they may get frustrated and leave if the bank is not moving forward. With the current low unemployment environment and war for talent, it’s tough to hire good people, so banks need to focus on retaining their experienced personnel.
To eliminate the fear of having a false sense of security, banks can perform tabletop exercises to evaluate the effectiveness of a cybersecurity platform. These tests can assess controls and incident response plans, providing an opportunity to incorporate lessons learned before an actual event occurs. Unfortunately, an event will eventually happen, so banks need to practice and prepare.
No matter how prepared a bank is, it needs to have a cybersecurity insurance policy and understand its coverage levels. Cybersecurity insurance fills in the gaps of risks a bank can’t mitigate, but carriers have gotten very good at managing their risks. Institutions must look closely at any exceptions to make sure the policy is set up to avoid any gaps in coverage.
Finally, institutions must confirm that they have the right resources in place to support the people, processes and technology for a successful cybersecurity initiative. Institutions should evaluate the third parties they use—an effective information technology infrastructure provider is not necessarily a good option for security. The same goes for internal personnel; banks many not have experienced people to patch the environment and manage security.
Ultimately, banks have made significant investments in preventative controls, but they do not always know how to use them. In many cases, a qualified outsourcing provider can implement and optimize those controls and share best practices learned from other institutions.
With increased security spending, banks should feel safer—but there is still a good chance that a breach attempt will happen. While attention has shifted from prevention to containment and mitigation, your bank still needs effective controls across the full spectrum of cybersecurity risks. But simply spending money and having controls is not enough; you must understand how to utilize those protections and leverage the right resources to help you develop an active and evolving security framework.