You know what your bank needs? Extra-terrestrial technology.
When I think of an impenetrable system, I think of the movie Independence Day. In case you somehow missed this classic of American cinema, it’s your typical alien invasion film where they have more tech, but we have more heart. Our focus today is on the alien tech. None of the human specialists can figure out how to hack the invaders’ security system. In the end, humans have to resort to physical destruction because binary warfare will never work in time to save the planet.
The reality of modern bank cybersecurity isn’t all that different. In this scenario, you are the alien. Your enemies (cybercriminals) know who you are, and they are throwing all sorts of weapons at your system. They aim to destroy you, either financially or by reputation. Is your system equipped to keep those malware missiles from annihilating your business?
The bad news is that E.T. isn’t coming back to help you with special intergalactic antivirus software. The good news is that there are good guys in this fight. There are lots of hardworking specialists that have come up with formidable defenses to keep many of these crooks out of your system. Your responsibility as management is to mobilize resources and set up internal structures to give your bank the best defense possible.
According to the Conference of State Bank Supervisors, keeping your network safe involves:
This shall be our guideline as we explore ways we can keep your bank safe from these new-age bandits.
Identifying Your Internal and External Cyber Risks
You can’t fight what you don’t know. When your body ails you, the doctor calls for a battery of tests in order to diagnose what is causing all your symptoms. Only then does he prescribe treatment. In the bank, your system is your patient. Your I.T. security team has to know what the threats look like to prevent them from aiding and abetting the enemy.
Most hackers gain access to your system by turning one of your own against you. It’s not always a disgruntled employee. Sometimes, it’s just “Steve in Payroll” who comes across a link in a mysterious email promising a 40% discount on car detailing.
This is known as phishing. In fact, in the Independence Day film, they did something similar. Using one of the alien space pods, they gained entry into the mother-ship and wreaked a lot of havoc. Phishing works because the virus is disguised as something harmless.
An internal memo with a list of new codes of conduct won’t do. You don’t want your employees using creative means to get around the new regulations. You need to make them understand why the threat impacts not just the organization, but them as individuals.
Protect Your Systems, Assets, and DataMost banks focus on compliance. They do everything all the regulators say in order to keep their doors open.
Here’s the problem with that approach:
Regulators tend to be reactive. Regulations usually come into effect as a reaction to a disaster. “Let’s make sure this will never happen again” is the mantra. So as you focus on patching up the known weaknesses, some guy in a hoodie is sitting in a basement working out your other weaknesses. That guy is very motivated and quite good at his job. So to match him, you need to be proactive.
Take a risk-based approach to your protection. Compliance is important, and it has helped to improve data security, but it’s not enough to keep you safe . Risk assessments must be undertaken, and security solutions have to be tailormade to the needs of your bank.
Many small banks don’t have the resources or internal know-how to set up the security infrastructure they need. You will need a partner who can merge your unique security needs with the regulatory requirements to ensure you’re covered in both areas.
Detecting System Intrusions, Data Breaches, and Unauthorized Access
Sometimes hackers prefer to do the dirty work themselves. They’ll overwhelm your system with instructions causing it to shut down. They’ll set up an algorithm that will go through millions of combinations to try to crack your passwords.
Other times Steve doesn’t look too closely at the email address that sent that much-needed coupon. There are other ways the threat could be from within. Perhaps an employee is trying to send classified data out of the network.
You need a system that will flag that as suspicious. You also need a system that is able to monitor third party access to important information. Service providers and vendors may need temporary access from time to time, yet this can pose a huge risk. Are you equipped to handle this?
Responding to a Cyber Event
Alright, the worst has happened. You’ve been breached. What do you do?
You need policies in place for just this occasion. Hope for the best, prepare for the worst as they say. Technology is changing every day, so your policies have to be structured in a way that includes this evolution.
Data breaches can be traumatic. It would be almost impossible to figure out how to move forward without a guideline that spells out who needs to do what and when.
In fact, this should be the first step. As you identify your threats, you need to put policies in place to ensure you are able to resume operations within the shortest time possible.
Recovering and Resuming Normal Operations
This can be summarized in one word: backup. This has to be a continuous process. Furthermore, you need to protect your backed-up information lest the gremlins get at them too.
On top of your backup solution, make sure you’ve got a business continuity and disaster recovery plan in place. If the worst happens and you have to restore your systems from your backup, this plan should guide you through every step you need to take to continue normal operations and continue serving your customers.
This will determine not only how quickly you get back on your feet, but also how soon the public restores their faith in you. Part of your response to a threat may require you to publicize the nature of the security threat, and your reputation will take a hit. Bouncing back within the shortest time possible is a sure sign that you are resilient and capable of handling challenges such as these.
I don’t mean to make you paranoid, but they are out to get you! Even you, who doesn’t think you’re big enough to be a target. Especially you. Cybersecurity is like chess. You need to think several steps ahead, and you do this by formulating a risk-based security strategy.
At JMARK, we are ready to be your frontline defense. From policy management and compliance, backup management, and business continuity and disaster recovery to overall security management, we have a solution for you. Contact us via our website, email: [email protected] or call us on 844-44-JMARK and let us weather the security storm with you.