Bank robberies are on the rise. But they aren’t happening in the branches. Tellers aren’t on the receiving end of a note… or worse. They’re happening online, and for those of us who work in banks, we’re the tellers.
Cybercrime is the new bank robbery. And, these cybercrimes are getting away with more money than ever before and something even more valuable, information - ours, our companies’ and our customers’. The cybercriminals are also harder to catch, typically operating abroad and always under the cloak of obfuscation. What’s scarier is that their reasons involve the worst of humanity. Human and drug trafficking. Cyberwarfare intent on physical harm. Disrupting economies and even overthrowing governments.
Human error is one of the most common causes of security incidents; however just 45 percent of businesses provide mandatory cybersecurity training for their employees. When I talk about the various threats, the risks they pose and how we as everyday people just trying to do our jobs can become a true and effective “line of defense”, I’ve distilled it to Eight “Must Dos.”
Currently I work in the financial sector, and banking incurred the highest cost for cybercrime in 2018 compared to other industries. According to Accenture, the average cost of cybercrime for financial services companies globally increased more than 40 percent, from USD 12.97 million per institution in 2014 to USD 18.28 million in 2017. But from this vantage point, I think these steps are universal.
One ~ A committed Board of Directors.
There is no more true risk management truism than it starts at the top. The Board of Directors and Senior Management must appreciate that without them nothing will work in effectively combatting the myriad of threats facing them and their institution. How does one get there?....
Two ~ A knowledgeable Board of Directors.
A knowledgeable Board is an engaged Board. Knowing the threats and the exposures are critical for Boards and Management in approving the proper resources necessary to address the risks. And it starts with one person…
Three ~ An accomplished “teacher” and effective resources.
I’ve always said that one person given the authority and resources can do, fix, accomplish more faster than any committee. But as a committee, it’s up to the Board of Directors (and Senior Management) to identify and empower that subject matter expert. Then, give her what she needs. As for what “we”, the employees, need….
Four ~ Start with the basics.
Statistics and experts are unanimous in the primary threat to information and cyber security. Us!! So let’s start with the basics: creating and safely protecting unique passwords, staying off public networks, using multi-factor authentication, disabling unused and the more risky ports (USB, HDMI, mini-HDMI, etc.), powering down (nightly or at least weekly) and locking terminals when away from them, updating your personal devices and various (internet of) things, keeping a “clean desk” or work environment, and disposing of all sensitive materials securely. But, for the more complex tasks, something more is needed…
Five ~ Drilling. Drilling. Drilling.
Today’s CEO email scams, business email compromises (BECs), phishing, vishing (VOIP and voice call phishing), spear-phishing (targeted phishing) and social engineering attacks are incredibly difficult to spot sometimes. But there are hallmarks to them all. There are a lot of great vendors out there that will put your institution through simulations. But whether it’s an outside vendor or your own internal resources conducting the training or drilling…
Six ~ Keep it positive!
No one, other than the “bad guy”, clicks on a malicious link or forwards a virus intentionally. It is not a matter of if something will happen. Something will happen. Your Information Security Response Team is hopeful trained and ready to triage an incident should one occur. But then, there’s the aftermath. What went wrong. These are learning moments. But, consider this, these are also moments when everyone is watching how Management reacts. We’re all in this together. So….
Seven ~ Mix it up.
Give in-person training (live), provide online training, research and identify a few vendors that could cycle in / out over a three year schedule to keep the material fresh and employees “on their toes”. And, after all is said and done…
Eight ~ Communicate. Communicate. Communicate.
In New York City, there is a saying, “If you see something, say something.” Regardless of where your own institution is, it’s a great reminder for all that we all get better when we all contribute to the dialogue, the threats, the lessons learned and the solutions. Whether it’s the Board of Directors communicating its commitment to cyber security for its employees and their customers, the training coordinator’s varied and unique communication styles, the industry’s now frequent alerts or our own tales of success (or woe), communication is the secret sauce.
About Paul Caulfield
Paul Caulfield is Executive Vice President and Chief Risk Officer at IDB Bank, a New York-based private and commercial bank. He is also a pending Certified Information Systems Security Professional, an Anti-Money Laundering Specialist and former Manhattan Prosecutor.
About IDB Bank
IDB Bank is a New York State-chartered commercial bank, a member of the FDIC, and a wholly owned subsidiary of Israel Discount Bank LTD., one of Israel’s leading banks. The Bank provides a complete range of private banking and commercial banking services to U.S. and international clients. Visit http://www.idbny.com for more information.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now