It is common knowledge that threat actors target banks. Not only do these attackers want to directly steal money, but by doing so they also affect customers and trust in the bank. If a financial institution suffers a loss, even insurance cannot go further than to minimize the real cost to the organization. The cost is shared and passed on to each stakeholder, and the business model becomes untenable. As the need for security and privacy becomes increasingly evident, it is up to you to consider how you can improve your cybersecurity posture in financial services.
Of course, there are cybersecurity requirements for financial services companies and bank-related cybersecurity laws to ensure that the end consumer doesn’t bear the brunt of the cost when all is said and done. But cybersecurity banking regulations are not enough. Why? Because while data may be our most valuable currency today, money is still the second best currency. It is tangible, it is necessary for trade and without it, life comes to an abrupt end. You’ve heard it before and you will continue to hear it: Financial cybersecurity is all about risk management.
The tough questions for financial services cybersecurity
When it comes to financial services cybersecurity, like any other security, you need to be honest with yourself. You can count on outside help, but like any improvement, you have to start and end from the inside. Before starting any type of self-assessment, you should ask yourself the following questions: three questions:
Are you really ready to change what you have been doing?
Can you think of a better strategy or idea than the status quo?
Can you perform the chosen solution?
These three questions are central to how you will manage your cybersecurity challenges. For the purposes of this exercise, let’s say you answered positively yes to all three questions. What are the next steps?
Here are five questions that can guide you. The beauty of these questions is that they are not time-bound, so even as financial services cybersecurity evolves, you can ask yourself these questions regularly and they will always apply. These are also useful questions to raise at every quarterly board meeting.
In addition, the questions are designed to be answered in a very simple yes / no format. You can make your own decision on what a good score is – remember, it’s all about risk management – but a friendly note: if you don’t get five out of five, you might have work. to do. And remember, you are only wrong if you are not sincere about these answers.
Question 1: Do we have a real understanding of our risk posture?
On the surface, this question seems easy to answer. It’s not. Knowing your risk posture means you’ve done a thorough assessment, and it’s not exactly the easiest task. If you don’t have the best knowledge of current and future cyber threats, this is where you may need outside help. Don’t try to fake this, as this is the key need for financial services cybersecurity. This is just a very short list of the types of questions that should be asked:
Are you a target for nation state actors?
Do you know who denigrates your network?
Are you at risk of violating the law or regulatory bodies?
Do you know where your data is located?
Do you envision data management throughout the lifecycle?
Do you have supply chain issues?
There are so many questions here. If you don’t know where to start, get outside help to at least point your boat in the right direction.
Even if you are in any doubt, mark a “no” here.
Question 2: Are we often stress testing our system?
Risk assessments and pen tests are dropping. In some cases, depending on the complexity of the work, these services cost the commodity. You need to do this work regularly. Depending on the type of data you hold (in the case of financial services cybersecurity, money) and the level of risk you are willing to take, risk assessments on a quarterly basis are useful. This is even more relevant if you can make them for a good price.
Depending on the size, structure and complexity of your business and the data you hold, you may want to keep an external firm to perform ongoing pen tests. (This would probably be reserved for large companies.) Or, you can set up regular testing, say every six months. Modern reliance on technology makes these tasks mandatory. Treat them as a way to maintain good cyber hygiene.
It’s hard to score a “yes” here, but if you do, so much the better!
Question 3: Is our system capable of meeting today’s challenges and adapting to those of tomorrow?
Make no mistake: what is good enough for today may become obsolete tomorrow. Therefore, be prepared to adapt.
The best way to ensure that you meet the needs of today and that you are ready for those of tomorrow is to take a security-by-design approach to your designs. NIST SP 800-160, which applies to general security as well as financial services cybersecurity, gives you a great roadmap on the issues you need to think about when designing your system.
Keep in mind that as we move forward in a highly mobile work environment, threats and risks evolve. The impact of a breach can get even deeper.
If you’re good for today, but not ready for the short term (think about the next few years), mark a “no” to be on the safe side.
Question 4: Do we have a truly safety-oriented culture?
You can say you do, but do you really do it? Some might argue that a culture of safety can turn into paranoia. But is it really paranoia when it really happens? Our online behavior is changing, constantly evolving and reliant enough on our connection. For that reason alone, you need this culture to drive financial services cybersecurity. Monitoring and new generation tools, such as artificial intelligence, will get you far in your battle for security, but your backbone will always be your people.
If your employees agree, you are in a good position. A few biannual or annual training courses and phishing attempts are not enough. Your employees need to understand why a culture of security is not only critical to business cybersecurity success, but also to overall success.
If you haven’t answered this question from your management, employees, and even third parties, mark yourself a “no” here.
Question 5: Are the right resources, human and financial, in place to be successful?
Money can solve a lot of problems and get you a whole bunch of awesome toys. But, if you don’t have the right people, you’re going to have a roadblock that, at best, will slow you down and, at worst, derail even the best-prepared plans.
As mentioned in question 4, you need to ensure that the message of good financial services cybersecurity is conveyed to your entire stakeholder group. It needs to be communicated appropriately throughout the organization, large or small. To be more specific, you need talents who have that ideal mix of business, technological and interpersonal skills. These people are very difficult to find, so once you have them, make sure you don’t lose them. They are difficult to replace and they are your champions.
Don’t be discouraged by this step. Given the demands of the job and competitive financial challenges, many of you may answer “no” here. All that means is, it’s just something you have to work on. Remember to come full circle and come back to question 1: does your risk assessment meeting give you an accurate picture of what you are facing? If not, everything you do downhill will be affected. You don’t need it.
It’s okay to score less than five out of five
Getting five “yes” answers here is no small feat. In fact, if you are sincere and honest, it is very difficult. Remember that there is no such thing as perfect or total security, including in financial services cybersecurity. Mainly, these five questions will give you a quick overview of what you need to focus your efforts on.
Perhaps more importantly, the five questions outline important markers that you can discuss with all of your stakeholders. You don’t have to be a technology expert to understand the implications of a “yes” or “no” answer to these questions. These are reality checks that you can discuss with decision makers in your organization. In addition, they serve as springboards to enter into deeper conversations.
For example, if you got a “no” in question 4, it’s time for a serious discussion on how to better communicate your security intentions to your organization. Part of it is human nature: people want to know what’s going on. If you bring them into the discussion, or at least get them to understand why something needs to be done with some level of specificity, they’re more likely to follow.
Or say you mark “no” to the second question. Now is the perfect time to discuss annual budgets with decision makers. Explain to them why a lack of investment in these tasks today may simply be the deferral of a much higher cost tomorrow.
Next Steps for Financial Services Cyber Security
The Self-Assessment is designed to give you an overview of your risk posture with respect to financial services cybersecurity and beyond. An honest assessment won’t solve all of your problems, but it will certainly put you on the right path to solving them. There is an important caveat: answer “yes” to the first three questions. These are the bowel check questions to make sure you’re serious about what’s next.
Kill the noise and solve the problems. The KISS Method works, especially when your challenges are so complex.