David Bowie’s guitarist Carlos Alomar recently described the challenge of playing with a genius who was a musical chameleon throughout his long career. “David Bowie’s music is a moving target. Just when you think you’ve got the bullseye, it shifts.”
Many banks could say the same about striking the right balance between delighting customers with frictionless digital experiences and keeping their data safe. As bank business models evolve from walled gardens to having to compete on the open digital savannah, it’s getting harder to strike that balance. Business model changes are creating proliferation in both internal and external points of data exchange. The integration of digital and branch channels; ecosystem platforms that expose APIs to partners; the shift from data centres to cloud storage on third-party servers; and a workforce that increasingly includes a wide array of contractors are just some of the new data interfaces that are being created.
As these points of exchange proliferate, banks increase their information security risk. Criminals are still liable to attack banks because “that’s where the money is”, but bank robbers have been joined in the digital world by angry social media mobs, geo-politically motivated state actors, ‘ethical’ hackers seeking radical information transparency, and many other types of threats that together have created an information security arms race. It’s no surprise that the target of the hackers in the first season of the hit TV show ‘Mr. Robot’ was banks.
Accenture recently survey 275 security executives to hear their views on the state of cybersecurity in the banking industry. The survey showed that most are confident about their ability to protect their assets and their customers from fraud, malware, and a host of other security breaches. Some 78 percent of the executives reported confidence in their cybersecurity strategies, 76 percent said cybersecurity is now embedded in their culture, and a full 93 percent believe their cybersecurity capabilities can protect their customers’ information.
But the survey also indicated that this confidence may be misplaced. Our research found that these same banks face an average of 85 targeted breach attempts per year—a third of which are successful. The stakes are also getting higher, with recent breaches of international payments systems creating multi-billion-dollar downside risks. If banks are to retain their customers’ trust, this gap between the reassurance projected by management and the reality of multiple successful breaches a month needs to be closed—and quickly.
It starts with better threat assessment and a dynamic prioritization of investments against emerging risks. It also means building a strong risk culture and supporting it with appropriate controls and tools that build resilience and defence in depth. Continuous attack simulations from white-hat hackers can also provide valuable insights into the maturity of a bank’s security program and its readiness to parry the continuously evolving set of threats.
Just like David Bowie, cybersecurity threats keep changing and evolving, so the Carlos Alomars of bank information security need to ensure that they can keep up.
To learn more about building better cybersecurity in banking, I invite you to read our High Performance Security report: Solving Banking’s Cybersecurity Conundrum