Advances in digital technology have changed the way the world conducts business — and that includes cybercriminals. Unfortunately for the banking industry, cybercriminals’ favorite targets are financial institutions. In this post, we explore banking compliance efforts and why checking the compliance box is not enough. So read on for ideas on attaining true security.
PWC’s Global Economic Crime Survey
According to the PWC 2016 survey, cybercrime is now the second most reported economic crime. To improve on proactive security measures, financial institutions must evaluate threats and determine their imminence in real time. PWC says that cybercrime is not just an IT problem. Responsibility for keeping data secure starts in the C-Suite and trickles down to all staff.
The findings of this study are fascinating. Respondents said:
- About 50 organizations had cybercrime losses above $5 million
- One-third of those reported cybercrime losses in excess of $100 million
- Survey respondents considered the loss of the business’s reputation the most damaging impact of a cybersecurity breach
Checking the Compliance Box Is Not Enough
There are many standards and guidelines, some on a national or global level, directed at helping financial institutions assess their cyber risk and improve their management of that risk.
- Federal Financial Institutions Examination Council (FFIEC) published its Security Booklets
- The European Central Bank (ECB) works on publishing guidelines and best practices for the banking sector
These guidelines are good initial steps, but stopping sophisticated cybercriminals requires a more hands-on process. For instance, the ECB requires banks to disclose cyberthreat information to a real-time alert database. Since 2016, the agency has collected such information with the goal of instituting an early warning system for banks. ECB expects to provide the database to its 129 member banks sometime in 2017. ECB will also share the information collected with the U.S. Federal Reserve and the Bank of England (BoE).
BoE also has a cyber-stress test program that performs hacking exercises with U.S. regulators to imitate a large-scale attack on the global financial system and gauge the attacks’ impact on financial networks.
Conduct Insider Threat Assessments
One way to protect against insider security threats is to analyze behaviors within the network.
- Identify the various roles that employees play within the organization and the network authorizations assigned to them
- Assess the data access rights for each employee and list each piece of equipment they have authority to use
- Analyze usage to determine unauthorized use of equipment or to identify anyone trying to access data they are not authorized to access
Cybercriminals take advantage of network vulnerabilities. It follows then that cybersecurity involves knowing what and where those vulnerabilities lie. Penetration testing means your IT staff — or a third-party provider if you outsource the task — gathers information about your system in order to identify possible points that a hacker might use to gain entry. Once you’ve identified potential entry points, IT staff will conduct penetration testing — which means they will try to break into the system through the entry point to determine the vulnerability threat level.
- IT staff can test penetration manually or by using special software
- Penetration testing can also tell you how well your employees comply with your security policies and how well they understand their roles in the organization’s security
- Penetration tests are sometimes referred to as “white hat” tests because the good guys are doing the testing
Learn more about penetration testing tips: read the betanews.com article entitled Three Penetration Testing Tips to Out-hack Hackers.