How To Lower The Risk Of A Bank Data Breach

The financial services industry is a leader in many aspects of cybersecurity performance and has set the standard in areas like vendor risk management. Why? Because risk is built into their culture. Inherent in the financial services industry is how to measure and mitigate risk, and they’ve become very effective at it.

Banks and financial service businesses are also some of the most highly targeted organizations—for obvious reasons. Below, we’ve outlined three steps that any financial services organization needs to take in order to lower the risk of a data breach.

1. Train employees on how to be safe and how to recognize suspicious incidents.

This comes down to training your employees on how to recognize anything out of the norm and spot so-called red flags. Take this example from March 2016 (as reported by Quartz India): Hackers had recently moved $100 million out of Bangladesh Central Bank’s account at the Federal Reserve Bank of New York, but it had gone undetected. But when they tried for a larger transaction of $850 million, an employee at Deutsche Bank (the routing bank) noticed a spelling error on the transfer request. (It read “fandation” instead of “foundation.”) He or she could have ignored it or written it off as an innocent spelling issue, but because they saw the red flag and took action, they caught a potentially disastrous cybercrime.

2. Join information-sharing groups like FS-ISAC.

Financial Services Information Sharing and Analysis Center (FS-ISAC) is a threat information sharing organization which was started so financial service organizations could come together and share information on threats targeting the industry. You can think of it like a crowdsourcing solution used to prevent cybercrime. By joining FS-ISAC, you can become aware of vulnerabilities in your industry that are being exploited, and where those vulnerabilities are originating from. By collaborating and sharing this information, banks and other organizations are armed with the knowledge they need to combat potential issues before they become catastrophic.

3. Be completely honest about what your organization’s issues are, and address them using approachable language.

You want to become fully aware of what your organization needs to do to improve—but where do you start? To do this, you need the ability to monitor how you’re performing on a continuous basis and what’s impacting your performance. That’s where security ratings come into play.

Without ratings, your boss or CEO will likely be left to interpret what your organization’s cybersecurity measures mean. Can upper management easily determine what last month’s 300 botnet infections mean for your cybersecurity posture? Maybe so, but maybe not. And the constant phone calls to IT and confusion this creates can be chaotic.

A security rating is a number that changes every day—like your credit score—which allows you to see if your organization’s rating is in a good range (or if you need to start looking at what’s causing it to be too low). Security ratings allow you to:

• Communicate effectively across your organization in a manner that security experts and non-security experts can understand and appreciate.

• Understand what your competitors rating is, so you can properly benchmark your performance.

• View your cybersecurity health holistically by looking at your entire vendor ecosystem, including your third parties and their suppliers.

Security ratings can help foster cybersecurity awareness at a level that is approachable for everyone involved. It helps keep you honest about events happening on your network and allows you to easily understand how you’re performing compared to others in your industry or supply chain.

You cannot avoid all data breaches—but by relying on a data-backed rating that is actionable, objective, and verifiable, you will potentially lower the risk of a bank data breach happening in your organization.