According to a recent survey, bank executives feel they have a pretty good handle on their cybersecurity program. Their confidence falters however when asked about the security readiness of their partners.
Bank Director's 2017 Technology Survey, conducted this summer, surveyed 145 US banking CIOs, CTOs, CEOs, independent directors and chairmen with bank assets ranging from $250 million to over $5 billion.
Bank executives were asked specifically, “If your bank were to experience a cyberattack or data breach right now, are you confident that the staff and the board would be prepared to react?” Oddly enough, the largest and smallest banks were the most confident in their readiness: eighty two percent and eighty percent, respectively. Cumulatively, seventy seven percent of all bank executives answered "yes," they feel their institutions would be prepared to react to a cybersecurity event.
The problem with this question is it appears to be focused on post-breach readiness. In other words, banks seem to feel strongly about their crisis management plans. They have processes in place to find the source of the leak, plug the hole, and notify key stakeholders like bank management, regulators, law enforcement, and customers in the event of a cyber attack or data breach. While it’s imperative to have a post-breach action plan in place, this is a technology survey. Perhaps a more appropriate question would be “do you feel you have the proper systems and processes in place to reduce the risk of a cyber attack.” Bank executives may not be so emphatic in their confidence with this question.
It’s cliché now to say a data breach is no longer a question of “if” but “when” and this philosophy has led to a shift in organizational thinking from preventing cyber attacks to minimizing the damage created by cyber attacks. Nevertheless, banks need to have myriad security capabilities in place to not only protect their assets (financial and customer data) but also demonstrate compliance with a number of regulations. In fact, most data breaches and compliance violations are the result of a breakdown in technology, communication, or processes. It makes sense therefore that a secure organization (maintained by a security conscious workforce) can both avert a cyber attack and pass an audit.
Back to the survey. Bank executives were then asked a similar question but one pertaining to their partners: “If one of the bank’s vendors were to experience a cyberattack or data breach, do you believe that the bank would be vulnerable?” Almost half (forty four percent) of all respondents answered "yes." What’s equally concerning is that thirty four percent said they were unsure their bank would be vulnerable, which isn’t very comforting. Only twenty one percent of respondents said they don’t believe their bank would be vulnerable. (Note: these figures do not total one hundred percent due to rounding.)
As banks and other organizations incorporate partners and vendors into their workflows, it increasingly entails providing access to their networks. This requires opening a port for each vendor so that the vendor can access the information they need from outside the firewall. Naturally, the more ports these organizations open, the harder it is for them to manage, monitor and defend their data.
Consider this: in a recent cybersecurity survey polling 1,800 senior business decision makers and employees across the UK, US, Germany and Australia, respondents reported seventy four percent of the cyber attacks they suffered originated from an extended network of workers, customers and suppliers. Contrast this with the percentage of cyber attacks stemming from hackers (twenty six percent) or employees (forty two percent).
Banks are aware of the threat posed when sensitive information is shared with external parties, as are hackers. Citi and Scottrade Bank are just two examples of high profile data breaches involving banks and their business partners. As a result, banks must be extremely confident that every vendor they consider working with be thoroughly vetted for their cybersecurity capabilities.
Secure and govern your sensitive data with kiteworks
Accellion kiteworks provides a single, controlled interface that integrates with on-prem and cloud-based content systems so banks and other financial institutions can access, edit, send and collaborate on confidential files safely. A robust security framework consisting of a hardened VM appliance that can be deployed in a private or hybrid cloud; encryption of content in transit and at rest; encryption key ownership; DLP integration; role-based permissions and many other security features ensure sensitive information is only accessible by authorized users. In addition, organizations can achieve the highest levels of governance by leveraging compliance intelligence capabilities like detailed file activity; auditable logs; and granular policy controls. This enables organizations to demonstrate compliance with rigorous industry and governmental regulations such as SOX, HIPAA (with signed BAA), ITAR, SOC2, PCI DSS Level 1, ISO27001, ANSSI, FedRAMP, and CJIS, among others.
With kiteworks, organizations have an added layer of security and governance that protects the content that comes in and out of an organization.
To learn more about Accellion kiteworks and how it enables financial institutions to achieve the highest levels of security and compliance, please visit accellion.com/financial.