By Steve Bomberger, Head of SEI IT Services
Steve Bomberger is the Head of SEI IT Services, which offers enterprise technology and operations through managed services to support the evolving technology needs of today’s businesses. In this role, Steve leads the sales and product teams for this comprehensive suite of IT services, including cybersecurity, hosting and network operations, that provide scalable and flexible solutions customized to a client’s specific business model.
With cyberattacks on the rise, wreaking havoc and disrupting crucial global supply chains, it’s clearer than ever before that a comprehensive, end-to-end cybersecurity strategy is essential – especially for banks and financial services firms.
Remote work and prospective hybrid work environments have amplified the already pronounced risk, as banks face increasing workflow disruption, ever-rising IT costs, and an expanding technological surface area. Though cyber risks may seem opaque because they exist in the periphery, there are several important considerations for banks evaluating their cybersecurity posture, including a breach’s true cost, the limitations of a compliance-oriented, check-the-box approach, and the importance of effective cybersecurity policies and procedures. Together, these issues reflect the need for a “Defense in Depth” approach for effective cybersecurity protection.
Cost vs. Reputation
Perhaps the most pervasive misnomer in cybersecurity is that bad actors discriminate on the basis of size, industry or profile. Banks—especially community and local ones—often shortchange their cybersecurity needs based on a fundamental misunderstanding of the standing threat. The pace and scale at which bad actors now operate means that attacks on all companies, particularly liquid ones, are inevitable. And with the outsized impact of social engineering, attacks may incubate over several weeks, months or years as hackers manipulate their targets in search of a long-term payload.
Because attacks are inevitable, it’s critical that decision-makers evaluate the net cost of a potential breach. Though some may blanch at the upfront outlay for an effective cybersecurity program, it undoubtedly comes at a significant discount relative to the cost of remediating a breach. The urgency, time, end-to-end exposure assessment, vulnerability patching, and ransoms can rack up a significant bill.
But the reputational impact and the erosion of customer trust are far more impactful. Breaches sow anxiety about the safety and security of personal information and financial assets, and they can completely upend otherwise successful financial services companies that depend upon consumer confidence. Considering an attack’s inevitability and the potential cataclysmic result, banks would be wise to expend the upfront cost to develop and implement a robust cybersecurity program.
Going Beyond What is Required
Paired with misunderstanding the existing threat, it’s commonly assumed that compliance with local and federal cybersecurity regulations is synonymous with comprehensive cybersecurity protection. But even as cybersecurity comes under greater regulatory scrutiny, current standards are only the bare minimum (and sometimes even less than that). For banks, an effective cyber approach should extend far beyond compliance standards.
Third-party cyber organizations, or security management partners (SMPs), can be invaluable in creating and managing cybersecurity strategy. Engaging external experts helps to ensure end-to-end cybersecurity protection, including a full suite of cyber-defense protocols, tools and solutions, cross-industry threat intelligence and best practices. SMPs also alleviate the additional burden for internal IT teams, which are typically understaffed, under-resourced and under-supported. Though they are functionally related, IT and cybersecurity each require distinct responsibilities and expertise. Solely relying on internal staff can limit the scope, depth and complexity of a bank’s cybersecurity strategy.
Cyber Process > Cyber Technology
Even among banks that prioritize cybersecurity, they frequently assume that it is a technological problem best solved with technological solutions. They may invest in all-in-one technology packages thinking that doing so will provide all-in-one protection. However, though technology risks are significant, the biggest cyber risks are instead employees and vendors, and both can be manipulated or hacked in an effort to lock up a bank’s assets.
Because those are the biggest risks and the most common attack vectors, an effective cyber strategy must include clear processes for ensuring employees and vendors avoid common threats like malware, phishing, spear phishing or social engineering—none of which will be prevented solely with cybersecurity technology. Without effective processes and procedures, even the most technologically advanced workplace can be susceptible to very basic cyberattacks.
Today, employees are removed from their workplaces, and their personal and professional lives are indistinguishably intertwined. That has made them less vigilant and more prone to the ever-present threats they face. No technology, however robust, can guarantee that employees will always protect their company from cyberattacks.
Prioritizing “Defense in Depth”
Though banks are developing remote-first cybersecurity strategies, bad actors have become increasingly sophisticated, savvy, and efficient. Given the headwinds, it’s crucial that banks employ a “Defense in Depth” cybersecurity approach.
“Defense in Depth” is a structuring of IT security that endeavors to slow or stop all potential attacks with multiple mechanisms across different attack vectors. Though each mechanism is insufficient against a full-scale cyberattack on its own, the collective layered resiliency helps banks to weaponize their infrastructure against hackers. They can slow an attack, flag it to the information security team, and afford enough time to stop it.
For “Defense in Depth” to work, banks need a centralized cybersecurity platform and threat matrix to aggregate data from potential attack vectors and turn it into actionable intelligence. This creates a unique “seawall,” or a perimeter defense that blocks damage from expected threats that have already been solved but continue to persist, which positions the security team to prioritize distinctive new threats. Seawalls likewise help keep leadership informed on vulnerabilities and the resources required to remediate them.
With deeply sophisticated bad actors operating at scale, banks are encountering dangerous cybersecurity risks every day. Many of these risks are amplified by COVID-driven remote work and inadequate defensive postures. A “Defense in Depth” approach to cybersecurity arms banks with the layered resiliency and confidence that their data, assets and reputation are protected.