In a recent Bank Technology News article titled, “Banks Urged to Beef Up Defenses Against DDoS Attacks, ATM Fraud,” the author reports how the Federal Financial Institutions Examination Council is “urging” (quotes mine) banks to establish better security controls related to ATM fraud, as well as denial-of-service (DDoS) attacks. Not surprising, Verizon ranked ATMs and file servers as two of the top three most vulnerable to cyberattacks for banks.
With more than 30 years in the financial services industry, I continue to see banks of all sizes struggle to protect themselves. I have also seen how, in response to these threats, CIOs and CISOs have resorted to deploying a wide array of point solutions from a whole host of vendors. This has created a mish mosh of disparate, often redundant systems and an IT environment rife with constant upgrades, custom middleware, proprietary interfaces, incompatible databases, operational silos—and frankly, a lot of money paid to IT consultants. This is the reality of operating within the confines of today’s legacy and signature-based security solutions.
Despite billions spent annually on IT security each year, organizations find themselves more and more vulnerable to attack. Until this environment changes, there will continue to be major breaches at the large financial institutions, many of which have the potential to precipitate serious financial repercussions on a global scale. Within the small to mid-size bank arena, breaches could ultimately wipe out entire local and regional banks, and could have a ripple effect on key aspects of the U.S financial system.
The vulnerabilities of the banking sector, as well as other information-driven industries, will only be reduced with technology that is designed to overcome the limitation of legacy systems. Specifically, they must eliminate redundant systems, reduce hardware upgrades, unify disparate data across the IT infrastructure, correlate critical data of all types and sources, and protect their data assets from the “unknown unknowns.”
Simply put, the key to data security is looking at all things, all the time, without rules or signatures. If organizations continue to try and manage their security through 50+ pieces of disparate hardware like SIEM, firewalls and IPS for example, where each “box” is from a different vendor and is only designed to look for one possible “bad” thing, no organization, particularly banks, will ever be secure.
We must move toward an integrated security strategy, leveraging advances in technology that have been developed just in the last few years. Considering that such technology solutions can co-exist within an organization’s current IT infrastructure without usurping the investment already made, it has the potential to be the answer—and the future—for an industry struggling to gain the upper hand against these attacks. With the skyrocketing costs associated with a breach, combined with the reputational damage that can last for many years, banks can no longer take the hit of lost earnings and exposure in today’s volatile economic climate. It’s time for change.