We have all seen the news about data breaches at Home Depot, Neiman Marcus, Target, even Sony. Banks and credit unions are also being targeted, with institutions like Citibank, Bank of New York, and JP Morgan reporting major security breaches. The after effect of these breaches are now hitting main street financial institutions. As an example, credit unions in Ohio reported their losses from the Home Depot breach totaled over $1.3 million – and climbing.
Recently, even a small California credit union had a data security issue, as a thumb drive containing sensitive member data (including addresses, social security numbers, etc.) was lost. The twist? The thumb drive was used by the NCUA (the examiners) on their laptops as part of the exam. The NCUA would neither confirm nor deny that the examiner in the field was responsible for the thumb drive’s “disappearance.” So much for responsibility.
Malware as an industry: the criminals are working together. Since major data breaches now seem to be a common occurrence each month, one begins to wonder if this is an organized effort. Many of the breaches are traced to countries such as Russia, Liberia, or the Ukraine, with nondescript locations inside these countries. Sony suspects their recent data breach originated in North Korea. Many experts now believe there exists an “underground network” developing and refining malware toolkits which are shared with cybercriminals in many countries.
Since many of the originations of the cybercrime are oceans away, and these countries are doing little – if anything – to stop the criminals, it falls on us to prevent the losses. One of the most precious commodities we have is our reputation – something we all have built by decades of work. This can be severely damaged by ONE security breach at our institution.
What can be done? Treat security as a business problem. According to the FBI, in 2011 (the last full-year report), there were over 5,000 robberies at financial institutions. Even in this modern era, it is amazing how many criminals still view “robbing banks” as something they can get away with. In 2013, there were over 16,300 reported cyberattacks at businesses nationwide. Note I said reported – there may be many more that are unknown or not reported.
Recently, I heard a cybersecurity expert from IBM who made some common sense observations on security in general: treat security as a real business problem, not just a case of “add cameras, a firewall and an anti-virus program” and move on. His point was that we need to elevate security to the same level as our competitive research and marketing efforts. A proactive approach is necessary; just putting reactive measures in place isn’t enough.
One example of how we need to elevate our treatment of security is to have a disaster recovery plan for a major security breach at the institution. How do you respond? What are your talking points to the media? How do you report to the employees and customers? To use a comparison, many institutions do a dry run and have a plan in place in case of a fire, flood or other natural disaster, but rarely is there a plan in place for a sophisticated cyberattack. If your financial institution does not have a security response plan, perhaps this should be a priority for 2015. The costs can be large if you aren’t properly prepared. The graphic below shows the financial consequences of a security breach, with reputation and brand damage leading the way.
Education for the executives and the board. Recently, I had a conversation with two CEO’s at a financial institution conference during a lunch break. The subject was cybersecurity which was one of the earlier education sessions at the conference. One CEO was “complaining” that his board seems disinterested in the subject because “members of his board didn’t want to learn about terms such as malware and cyber fraud. Their view was electronic ‘stuff’ was for the younger generation.” He believed he needed to wake up his board with perhaps a scare tactic that this is serious stuff – harsh maybe – but necessary. Again, reputation damage is a potential fallout with anything bad that may happen to the institution, and he wanted his institution to be prepared.
It is important that a “risk tolerance” discussion happen at the senior management and board level. Various tolerances for credit, interest rate, liquidity, reputation, and other risks needs to be discussed and decided upon. Next month, I will discuss this topic in more detail and give financial institution best practices as guidance.
A national effort is needed. At financial institutions we tend to be the target of many fraud and cybersecurity breaches because “that is where the money is.” It is encouraging that national industry organizations such as the ABA, ICBA, and NAFCU are addressing the issues from an education and best practice standpoint.
But this is only part of the effort. First – our payments systems need to be rethought. We all know it is antiquated, but we tolerate it because it is so entrenched. Second, if we can create such giants as Facebook, Microsoft, and Google, we as a country should be able to not only build super-robust intelligent firewalls and anti-fraud efforts, but also software and other efforts to “attack the attackers.” Just a crazy thought – what if the cybercriminals showed up at their lair one morning to find their electronics completely frozen and useless because of a powerful anti-malware program implanted by us? Poetic justice.