Cybersecurity

Cybersecurity: The risk of cybersecurity breaches

Challenges to Building Effective Cyber Resilience

It is undeniable the cyber-threat quotient of banks and Financial Institutions (FI) is high. However, they are not mere passive victims, but have actively contributed to their increased vulnerability in the following ways:

1. Technology innovations.In their pursuit of business growth, banks have introduced digital innovations to cater to the tech-savvy customer. These innovations have brought a new set of vulnerabilities into the financial ecosystem thereby enhancing cyber risk.
2. Availability over confidentiality.Fears of a backlash consequent to a service disruption have led to heightened focus on providing uninterrupted service. This has resulted in an emphasis on availability over confidentiality and integrity, and granting excessive access rights to inappropriate people and processes. Financial Institutions (FIs)will remain highly vulnerable as long as their fear of a service interruption outweighs their concern over a security breach. Also, see Infrastructure deficiencies below, which are equally affected by lack of balance in security controls.
3. Human error and system glitches.Human error due to employee negligence and system glitches comprising IT and business process failures accounted for a significant percentage of data breaches in 2013 and 2014. This indicates that many data leaks can be attributed to the inadequacies of FIs, and is within their power to mitigate through enforcing greater control, adopting better practices, and putting in place stronger disciplinary measures in sensitive areas.
4. Infrastructure deficiencies. Despite rising regulatory concern and action, the emphasis on availability has created flaws in FIs’ infrastructure level security that malicious actors can exploit with impunity to undetectably compromise application and business process controls. By emphasizing availability, FIs have put security in jeopardy and endangered data confidentiality. Application and business process controls lack the capability to detect data breaches at this level, which is further compounded by the failure of post-event investigations to detect the actions.

Conclusion Improving cyber-resilience is a key imperative to prevent a security breach.  If yours is a mature information and IT security program, it should include independent validation to answer the question: How do we know our security works?  If your security program is immature, then you need to focus on immediate imperatives to restrict/monitor privileged accounts, and to get aggressively vigilant.  With that safety net, you can then work to develop a more mature program consistent with your industry and enterprise risk, and your budgetary capabilities.