Charles Shanley, Executive Vice President of John M. Floyd & Associates, shares his knowledge about the status of cyber security today.
If we’ve learned anything from the recent Facebook/Cambridge Analytica debacle that affected 87 million people, it’s this: our personal data is ripe for the picking. Mitigating cyber security risks should rank at the top of every CEO’s priority list. For that, you need a thorough understanding of the topic and the ability to recruit the right people with the necessary skills to stay (at least) one step ahead of cyber threats.
Know thy enemy.
To stay ahead of hackers, it’s important for management and those dedicated to overseeing an organization’s data to be aware of the types of data breaches occurring today.
According to former Acting Comptroller of the Currency, Keith Norieka, “Phishing is a primary method for breaching data systems and is often the entry mechanism to perpetrate other malicious activity, such as installing ransomware, accessing confidential information, compromising internal systems to effect payments, or conducting espionage.”
In many cases, cyber attacks can be avoided by simply keeping up with your own technology. The massive 2017 Equifax data breach that compromised the personal information of 143 million people could have been avoided by simply installing a web application vulnerability patch that had been available for two months prior. Experts also recommend using an Intrusion Detection System (IDS) to immediately alert you to a data breach, thus allowing you valuable time to react before too much time passes.
On the other hand, even with due diligence, financial institutions find themselves attacked through another avenue: their vendors. A 2017 report by BitSight found that, in most cases, companies in the finance industry supply chain do not meet the same security measures that finance companies hold for themselves. The report found outdated, unsupported and highly vulnerable machines all over third-party vendors that provide legal, technical, and business services to financial institutions.
Being vigilant of this possibility and properly scrutinizing vendors’ threat prevention plans makes your institution more secure against cyber attacks.
Let’s all hope we only encounter the best when it comes to cyber security; but to be realistic, anything less than preparing for the worst could bury your institution.
Your people are your most important asset, and in times of crisis, this will become evident. According to Deloitte’s 2018 Banking Industry Outlook, hiring high-quality data managers (or Chief Data Officers, in very large companies) has become a top priority.
Cyber security affects HR in the recruitment process, workforce planning and compensation planning. In this new and fast-growing job market, excellent data managers are difficult to find and earn a sizable salary, with many hiring departments unsure of what to look for in a candidate. For these reasons, experts recommend using a third-party recruiter with experience hiring data experts.
In my experience, when recruiting candidates for leadership positions, I not only make sure they have great credentials — I want to see them prove their capability in crisis management and disaster recovery. An important part of the process consists of having a candidate articulate how they would react during a potentially real-life crisis scenario. We ask candidates to take us through the first four hours of response to the emergency, all the way up through Day 10, detailing specific recommendations and actions they would take concerning employees, account holders, shareholders and policymakers.
This sort of hands-on, behavioral scenario tells us and our clients more about a candidate than any resume or LinkedIn profile ever could.
Play offense and defense.
It doesn’t end with hiring the right individuals, though. Your institution should, of course, have a robust crisis management plan in place, and it should be revisited and updated frequently. In addition, putting cyber security at the forefront of your 2018 initiatives is essential and something other financial institutions are already adopting.
In a new ABA study on Community Bank CEO Priorities, an overwhelming majority of respondents planned to implement the following measures to protect their banks against data breaches or cyber threats:
- Staff training (95%)
- Network security (91%)
- Customer education (84%)
- Anti-malware/anti-virus software (81%)
- Mock cyberattack/tabletop testing (75%)
- Joining Sheltered Harbor (69%)
Hackers never sleep, but you can.
Hackers attempt cyber attacks all day, every day. While you can’t personally stay on watch 24/7, you can take significant steps to minimize your financial institution’s likelihood of suffering a data breach. Staying alert to the current state of cyber security; installing patches and updates to your software and applications; vetting your vendors; hiring competent data managers and continuing to implement cyber security measures can keep your institution one step ahead of the enemy.