Whether or not you have heard of Swiss psychologist Hermann Rorschach, it is pretty likely you are familiar with the inkblot test. This psychological test interprets an individual's perception of a series of seemingly random inkblots. After studying 300 mental patients and 100 control subjects (and experimenting with hundreds of inkblots), in 1921 Rorschach authored a book called Psychodiagnostik. In that book he documented how a series of 10 inkblots could be used to diagnose an individual's personality and emotional stability. Unfortunately for Rorschach, the initial publishing of his book was not well received and he died the year before his test gained any professional recognition. It was not until 1939, however, after a group of psychologists improved upon the statistical scoring methodology for Rorschach's interpretations, that his test began to be used as a way of testing an individual's personality.
The fact that different people can look at the same set of inkblots and see very different things made us think about the findings of KPMG's 2016 Banking Outlook Survey. It found that, despite the importance of cybersecurity amidst an environment of increasingly sophisticated and aggressive hackers, a surprisingly large percentage of bank executives are fairly clueless about their organizations' cybersecurity efforts and whether or not they are actually successful.
According to the survey, 12% of CEOs do not know if their organizations have been hacked within the past 2Ys, while roughly 47% of bank EVPs and managing directors and a whopping 72% of SVPs and directors are also unaware of the efficacy of their banks' cybersecurity measures.
Given such a wide disparity between executive level awareness of bank efforts to fend off cyberattacks, opportunities for hackers are being created as they continually search for a way into banks. If bank employees across the board are not educated about the importance of cybersecurity, or the efforts their own institutions are taking, it seems extremely easy for employees to unknowingly jeopardize such security efforts. Interestingly, this possibility did not rank among executives top concerns regarding security.
According to the study, when executives were asked to identify the areas they believe are most vulnerable in their banks' data security, sharing data with third parties was the biggest concern of both CEOs and other executives (EVPs through managing directors). Meanwhile, external attackers were the biggest concern of the next level of executives (SVPs through directors).
When it comes to executives' top concerns in the event of a security breach, financial loss was the top concern of CEOs, followed by reputation, litigation, job security and finally regulatory enforcement. Reputation was the top concern of the rest of the executives, followed by financial loss and regulatory enforcement.
While it is not necessarily surprising that CEOs often look at cybersecurity differently than other executives, the unfortunate reality is that banks can't afford to let such information gaps remain. Hackers are constantly looking for such gaps, so communication is critical.
Given this reality, community banks should take the time to ensure that all employees are kept up to date about their banks' big picture cybersecurity efforts and the steps they can take to ensure these efforts are successful.
One place where community banks can begin is with the website specifically created for this purpose by the FFIEC at http://www.ffiec.gov/cybersecurity.htm.
This website was created specifically to help bank executives determine where their biggest cybersecurity risks are, so that they can take steps to reduce such threats. In addition, we might suggest that every hacker captured by the authorities be subjected to the ink blot test to see how their minds work so bankers can best protect against their nefarious deeds.