March 3, 2022
On Friday, February 25, CrowdStrike CEO George Kurtz went on CNBC to discuss the state of America’s cybersecurity readiness. Here’s the nutshell version: It’s pretty poor. That’s especially concerning now, he said, in light of the fact that Russia has promised retaliation for American sanctions in the form of “finely tuned and painful” cyber attacks.
Banks in particular, Kurtz said, know they’re in the crosshairs. “I’ve talked to a lot of banks recently, a lot of senior executives. They’re very concerned about what might happen here, and they should be.”
And when banks are impacted, the economy in which they operate can be severely disrupted as well.
Cybersecurity in Big Banks vs Small Banks
But big banks at least have the resources to bolster and update their cyber defenses. Smaller ones don’t. That’s a huge problem, and not just in light of current events overseas. Every day of every year brings the possibility of new threats, particularly as mobile banking and cashless transactions are on the rise in year three of a global pandemic.
According to a recent report from Trend Micro, cyber attacks were up yet again in the first half of 2021, but “the banking industry was disproportionately affected, experiencing a 1,318 percent year-on-year increase in ransomware attacks.”
You read that right: 1,318 percent.
Biggest Cybersecurity Threats to Banks
The biggest threats were, and still are, ransomware, risks from the shift to remote work, cloud-based cyber attacks, social engineering and supply chain attacks.
According to Resistant AI CEO Martin Rehak, the increased use of artificial intelligence and machine learning in cybersecurity software may actually be hurting rather than helping.
“If nothing else, COVID-19 helped shine a spotlight on the vulnerabilities of today’s digital and mobile customer platforms that are capable of executing rapid and instant payment transactions, leaving little time to undertake customer authentication or transaction verification,” he told Infosecurity Magazine. “Similarly, the difficulties of know-your-customer (KYC) and customer onboarding in the digital era are exposing financial services organizations – and the customers they serve – to a significantly increased risk of cybercrime and financial fraud.”
“The rapid expansion and automation of financial services to minimize customer friction has created new challenges regarding verification and risk management policies and practices,” Rehak went on. “Evaluating if a digital interaction is authentic now depends on referencing a huge amount of data from multiple sources – everything from geolocation and session behaviors to data from merchants, bureaus and customer profiles.”
In a recent Wall Street Journal article, M&T Bank security chief David Stender was similarly doubtful that more and more expensive tech equals greater protection. “It needs to be cost-effective security,” he said, “not security at any cost.”
And it should never be fear-based, frantically implemented only after an attack has occured.
“I think companies are spending money in the wrong way,” Stender added. “A lot of companies try to chase that next silver bullet—artificial intelligence being a great example—and they put way too much money into it way too early.”
Plenty of banks, though, don’t have the luxury of “too much money” to invest in AI and highly trained experts and other fancy tools. Those are the banks for which cost-effectiveness is even more crucial. Improving “basic cybersecurity hygiene,” Stender said, falls into that category and encompasses things like regularly patching devices and applications, constantly backing up data and educating employees on things like password management and phishing attacks that are often easy ways in for cyber criminals.
How to Spend Money on Cybersecurity
“Spending money on cybersecurity awareness makes sense,” Steven D’Alfonso, a research director at IDC Financial Insights, told Biz Tech Magazine. “Most of the banks I work with do cybersecurity awareness training, but it’s possible that many of the smaller banks don’t do it, and they really should spend time on phishing tests and teaching people how to spot bad links.”
And while D’Alfonso doesn’t dismiss AI outright as a potentially effective tool, he agrees with Stender that small and mid-sized banks won’t fully benefit from it unless they first agree on a security budget and a detailed risk management plan. Once those are in place, as this insightful article notes, banks can implement a series of solutions that include working with MSPs to fill talent gaps and identify/address security gaps, enhancing the security awareness of both employees and customers and installing various high-tech tools to help thwart attacks.
The same article also highlights communication as “critical in banks and other financial institutions when it comes to raising awareness of cybersecurity and preventing financial cybersecurity incidents. Devise appropriate internal communications strategies to keep employees informed about their obligations to keep data safe, report breaches and be aware of new threats, and ensure that you have the appropriate tools and resources to deliver the information in a compelling and engaging way.”
As Mindsight, Cybersecurity Leader and Solutions Architect Mishaal Khan constantly stresses, too many businesses wait until something catastrophic happens before getting serious about cybersecurity. Smaller banks, he’d surely agree, are no exception.
“We keep getting bombarded with news about data breaches and end up thinking, ‘Well, we can’t do anything to protect ourselves,” Khan has said. “But that’s wrong. We can. And we should.”
Like what you read?
Contact us today to discuss your security posture.
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.