Today’s cyberthreat environment is diverse and constantly evolving, making daily cyberattacks a legitimate fear for banks and bank customers. The truth is that no one is immune to an attack. CDW, a leading provider of IT solutions and services to business, government and education, conducted a survey in January and February 2014 of 1,002 U.S. commercial bank customers and 152 bank managers to understand the prevalence of attacks, customer awareness, and the resulting impact on customer confidence. Scott Hiemstra, manager of CDW Financial Services, a division of CDW, writes here about the results.
What kinds of attacks are banks experiencing?
Half of banks (49 percent) experienced a cybersecurity attack in the past 12 months, but just 5 percent of customers are aware their bank was attacked. The leading causes of attacks include unauthorized access (51 percent), malware (43 percent) and identity theft (38 percent).
What are the biggest challenges for bank managers in terms of cybersecurity?
Institutions are working to mitigate cybersecurity threats, but the most significant challenges for the respondents of the survey include employee compliance (44 percent) and managing privacy (37 percent).
What are some of the greatest vulnerabilities for banks?
While large banks are more confident than small banks, less than half say they have an effective cybersecurity plan in place. Bank managers cite network gateways (31 percent), mobile banking apps (30 percent) and employee mobile devices/apps (28 percent) as great vulnerabilities.
How could banks focus their energies to improve security?
Banks are working to improve customer trust, and CDW has a number of recommendations for banks to improve their cybersecurity programs and to provide their customers with the information they need. Keep up with changing priorities by focusing on web security and mobile apps as they become more popular with customers. Proactively provide customers with information on your bank’s continued efforts to improve cybersecurity and stop cybercriminals. Put customers at ease by educating them about the steps your bank will take in the event of an attack. Leverage the right technologies. Use data loss prevention, encryption, protection from botnets (networks of infected machines used for criminal purposes), and web application firewalls to better manage risk, meet regulatory compliance requirements and improve customer experiences. Use effective and continuous monitoring, and streamlined and tested incident response processes to help identify, diagnose and mitigate data breaches.
If you were a bank director, what should you ask management about your bank’s security?
It comes down to education and funding. Do you have the right IT staff or IT sourcing that can handle the bank’s needs? What are you most concerned about? As you add cloud-based hosting of data or mobile networks, you are adding to your potential to be hacked. What business continuity plans do you have? Don’t be shy about asking questions. Everyone shies away from this because they don’t have the level of sophistication to talk about it.
What are your greatest concerns about how cybersecurity threats might evolve in the future?
I worry about cross-border issues. The hacker is not slowing down. A threat can happen from anywhere in the world. We need to look beyond the typical threats. We need to increase the protection from the threat outside U.S. borders. It’s important that banks follow through on the information they receive about new threats. They cannot afford to get the information and ignore it. It comes down to the people and processes and technology. Banks have to spend more than they used to protect their systems, and it’s taking away from the business.
Where can banks go to get information about the latest threats?
Be strategic and selective about your IT vendors. If you have a security assessment, look for a second opinion. There are always new threats that are out there. A secondary source can validate your process and look for areas of weakness. Banks are also looking to government agencies for information about attacks.