The news is filled with stories about hapless crooks whose carelessness helps bring about their capture. There was a FL man who fled from a car crash but left his wallet at the scene. There is also a PA man who used his own credit card to jimmy open a garage door, then left it behind when the homeowner suddenly appeared. Finally, consider the three would-be thieves in MN who mistakenly pocket-dialed 911 while attempting a heist.
These examples aside, criminals are often very crafty. This means that banks have to be very shrewd to protect themselves from attack. It's true in a physical sense but especially in the virtual world where cybercrime is a growing problem.
Banks should expect to see more attention being placed on cybersecurity in the months ahead as the problem grows and as regulators place ever more emphasis on the enterprise risk it creates for banks. Banks need to find actionable ways to prevent cyber breaches before they happen and respond quickly when this cannot be avoided.
The statistics are sobering. In 2014, there were 7,945 new technology security vulnerabilities identified. That is 22 new vulnerabilities a day or nearly 1 per hour according to a recent white paper from NopSec. Meanwhile, 78% of all compromised records were the result of hacking in 2014, according to the same study. While these figures are not specific to the banking industry, they drive home the message of just what's at stake for banks in the war against cybercrime.
A good way to begin is to start thinking like a hacker. Before a bank can devise solutions, an understanding of how criminals are likely to take aim is necessary. This means, for instance, identifying possible exploits and paying special attention to back door entry points. It also means setting priorities. A system may be considered vulnerable but then ignored if there's no business-sensitive data. Remediation may not be at the top of the list for that particular system, but if it offers an entry into other systems, the danger can be significant.
When it comes to thinking like a hacker, we also suggest enlisting the help of experts. Think of it as another form of business insurance, because hackers typically are opportunity seekers and are likely to move on if a system is difficult to crack.
Banks should pay special attention to the vulnerabilities of third-party vendors, as this has become an area of regulatory focus. The New York State Department of Financial Services recently released a report that found that nearly 33% of banks polled do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach. Further, less than 50% of the banks surveyed conduct an on-site assessment of their third-party vendors and 20% do not require vendors to disclose their minimum information security requirements. Moreover, only 33% of banks require information security requirements to be extended to subcontractors of third-party vendors. Since banks are only as strong as their weakest link, if it's third-party relationships, then this is an area demanding more attention.
Statistics also show that it takes a hacker around a week to exploit security vulnerabilities. Banks that don't take this seriously risk getting caught in a web of their own undoing. No bank wants to make the list of bumbling criminals like the ones above, so take steps to be sure your bank is prepared.