6 ways the banking industry could improve on cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.marketwatch.com/story/6-ways-the-banking-industry-could-improve-on-cybersecurity-2015-07-02

The threat of a hack is among banks’ biggest fears.

And those threats are becoming more frequent, and more sophisticated,
according to a report released Thursday by the U.S. Government
Accountability Office. “Depository institutions are estimated to have
incurred hundreds of millions of dollars in losses from breaches in the
systems of their corporate customers that allowed criminals to illegally
transfer funds from the customer’s bank accounts, and from frauds
perpetrated against their automated teller machines.”

The industry is taking action to fend off attacks, from hassling customers
on real purchases on the tiny chance of catching a criminal to building out
more secure websites.

Here’s the GAO’s take on how banks and regulators could get better at
cybersecurity.

1. Some banks still don’t take the hacker threat seriously, until they
become victims themselves.

“...Institutions may not make information security a priority until they
experience an incident,” according to the GAO’s interviews with security
vendors and federal officials.

Institutions with in-house staff may be better-equipped to handle attacks
since they have the expertise on hand, the report says. Small and community
banks may not have people whose sole jobs revolve around security.

But for what it’s worth, federal banking guidance released this week said
smaller banks could have a better handle on cybersecurity since they have
fewer systems to protect and are less complex.

2. Regulators collect data on bank security but don’t actually analyze all
of it — which means that they can’t say, “Hey, this is a problem for
everyone. Here’s how to fix it.”

The GAO found that, firstly, regulators don’t collect security and threat
information from banks in a way where they could see patterns among
different institutions. And whatever they do collect is hodgepodge — varied
in detail and usually not broken down into categories to differentiate
between the types of threats. That makes it much harder to see the forest
for the trees.

3. All bank regulators need the authority to look into third-party vendors,
who often provide information technology services to banks but can open
them up to more risks.

The National Credit Union Association doesn’t have the authority to examine
third-party vendors, which many credit unions use for technology services,
according to the report. The group has been asking for this power for about
a decade, it told the GAO. That would give it a chance to ensure the
technology providers have proper cybersecurity measures in place, and make
sure credit unions are secure.

4. As mobile banking grows in popularity, the industry needs to step up its
game to secure applications.

While mobile malware is a relatively low threat, it could worsen as mobile
banking becomes more popular, the report says.

5. Regulators need more IT specialists so examiners of small and
medium-sized institutions can better protect themselves.

Small and medium-sized banks are considered lower-risk than the biggest
banks, so often times, regulators send them IT officials with less training
who were “not as specific and useful as the review that involved the
examiner with IT expertise.” These institutions told the GAO they found in
past years, when they were visited by higher-level IT examiners from
regulators, their cybersecurity posture improved.

6. People are sharing information on threats, but it’s repetitive, slow and
lacking in critical details.

Part of the problem is that when a bank is under attack, it might not be
able to immediately give other banks details on why or how it is under
cyber siege due to ongoing law enforcement investigations. Or, in many
cases, banks are too concerned about ruining their reputations, the report
says, which makes them less willing to talk.

“Data breaches and security incidents require rapid response to mitigate
impact; therefore, effective preparation or responses require timely and
usable information,” the report says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!