BreachExchange mailing list archives
6 ways the banking industry could improve on cybersecurity
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 2 Jul 2015 19:19:08 -0600
http://www.marketwatch.com/story/6-ways-the-banking-industry-could-improve-on-cybersecurity-2015-07-02 The threat of a hack is among banks’ biggest fears. And those threats are becoming more frequent, and more sophisticated, according to a report released Thursday by the U.S. Government Accountability Office. “Depository institutions are estimated to have incurred hundreds of millions of dollars in losses from breaches in the systems of their corporate customers that allowed criminals to illegally transfer funds from the customer’s bank accounts, and from frauds perpetrated against their automated teller machines.” The industry is taking action to fend off attacks, from hassling customers on real purchases on the tiny chance of catching a criminal to building out more secure websites. Here’s the GAO’s take on how banks and regulators could get better at cybersecurity. 1. Some banks still don’t take the hacker threat seriously, until they become victims themselves. “...Institutions may not make information security a priority until they experience an incident,” according to the GAO’s interviews with security vendors and federal officials. Institutions with in-house staff may be better-equipped to handle attacks since they have the expertise on hand, the report says. Small and community banks may not have people whose sole jobs revolve around security. But for what it’s worth, federal banking guidance released this week said smaller banks could have a better handle on cybersecurity since they have fewer systems to protect and are less complex. 2. Regulators collect data on bank security but don’t actually analyze all of it — which means that they can’t say, “Hey, this is a problem for everyone. Here’s how to fix it.” The GAO found that, firstly, regulators don’t collect security and threat information from banks in a way where they could see patterns among different institutions. And whatever they do collect is hodgepodge — varied in detail and usually not broken down into categories to differentiate between the types of threats. That makes it much harder to see the forest for the trees. 3. All bank regulators need the authority to look into third-party vendors, who often provide information technology services to banks but can open them up to more risks. The National Credit Union Association doesn’t have the authority to examine third-party vendors, which many credit unions use for technology services, according to the report. The group has been asking for this power for about a decade, it told the GAO. That would give it a chance to ensure the technology providers have proper cybersecurity measures in place, and make sure credit unions are secure. 4. As mobile banking grows in popularity, the industry needs to step up its game to secure applications. While mobile malware is a relatively low threat, it could worsen as mobile banking becomes more popular, the report says. 5. Regulators need more IT specialists so examiners of small and medium-sized institutions can better protect themselves. Small and medium-sized banks are considered lower-risk than the biggest banks, so often times, regulators send them IT officials with less training who were “not as specific and useful as the review that involved the examiner with IT expertise.” These institutions told the GAO they found in past years, when they were visited by higher-level IT examiners from regulators, their cybersecurity posture improved. 6. People are sharing information on threats, but it’s repetitive, slow and lacking in critical details. Part of the problem is that when a bank is under attack, it might not be able to immediately give other banks details on why or how it is under cyber siege due to ongoing law enforcement investigations. Or, in many cases, banks are too concerned about ruining their reputations, the report says, which makes them less willing to talk. “Data breaches and security incidents require rapid response to mitigate impact; therefore, effective preparation or responses require timely and usable information,” the report says.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- 6 ways the banking industry could improve on cybersecurity Audrey McNeil (Jul 10)