Back in the day, a heavy-duty vault with a bullet-proof locking mechanism assembled by a world-renowned locksmith was enough to protect banks from Jesse James wannabes. Maybe a security guard stationed at the door, a little red button under the tellers' counter triggering a silent alarm, cameras everywhere. But it's 2022, and banks are facing escalating cyber threats that can sabotage business as usual in a matter of seconds.
At this point, nearly 80% of banking customers would prefer to manage their finances digitally from the comfort of their own couch than trudge to the nearest bank. While fancy vaults, security guards, and red-button alarms still have their place, cutting-edge cybersecurity solutions and groundbreaking technologies are stealing the show.
But despite massive investments in cybersecurity products and solutions, banks are still making basic mistakes — and losing millions of dollars to cybercriminals (and even more in reputation) on the reg.
Below are just a few of the cybersecurity mistakes we see banks making way too often.
You might think the first mistake on this list would live somewhere in the high-tech echelons, complete with jargon no mere mortal could wrap their head around. But no. First up is failing to create a culture of security that trains every employee in cybersecurity and zero-trust best practices.
Banks are 300 times more likely to face a cyberattack than any other type of institution. With the widespread nature and scale of today’s cyber threats, everyone in your bank needs to become a digital security guard. After all, anyone — from the CEO to the newest intern — could be the point of entry via a phishing email or malicious link.
How to fix it: Educate employees on cybersecurity best practices. Even small security measures — such as discouraging the reuse of passwords or sending sensitive information over vulnerable channels like email — go a long way to prevent a digital bank heist.
Similarly, consider customers a cybersecurity weak point. Just like employees, customers should receive some basic training around cybersecurity. Alongside mandatory multi-step authentication, facial recognition, encryption, and strong passwords, customers must be taught to play their part to keep their own data safe (and avoid clicking on that malicious link from their “bank manager”).
And if you haven’t upgraded your IT systems with basic security measures, your organization is at major risk of a cyberattack. Kristen Bolig, CEO of SecurityNerd, points out that many banks don't offer customers the most basic security measures such as multi-step authentication on mobile apps. This is especially concerning since mobile apps are, as Bolig puts it, "somewhat easy points of entry for hackers." She adds, "If a bank only requires the user to put in their password to log into the app, that's not very difficult for hackers to figure out. Banks that have multi-step authentication and even allow for facial recognition are immediately more secure."
How to fix it: Create customer-facing education around cybersecurity. You can do this through a newsletter, mobile app push notifications, or a digital security section in your FAQs. Encourage customers to scan their transactions regularly to check for suspicious activity, no matter how insignificant or harmless it may seem. And, if you haven't already, enable security features such as multi-step authentication and regular password updates.
None of this education means anything if your employees and customers send information that's not adequately encrypted.
Financial organizations regularly request sensitive information from customers (to verify identities, run credit checks, and grant loans, for example). Luckily, the Federal Financial Institutions Examination Council (FFIEC) creates, examines, and reports on standards and protocols. And the FTC's Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect sensitive customer data and provide transparency around information sharing. To protect customers, regulations from the FFIEC and GLBA require financial institutions to encrypt:
Sensitive information (e.g. names, addresses, and Social Security numbers)
Transactional information (e.g. account numbers, loan balances, or purchase amounts)
Other personal information acquired to provide a financial service (e.g. credit scores or criminal records
Make sure you're encrypting the information that needs to be encrypted: Bank-standard encryption is a 256-bit advanced encryption standard (AES). However, as Andrew Orr points out in an article for The Mac Observer, "You can use the strongest encryption algorithm in the world, but if you don't use it correctly, it doesn't matter if it's 128[-bit] or 256[-bit]."
How to fix it: Conduct an audit around your encryption methods — but don't stop there. Ensure your servers and machines are configured to process 256-bit AES to eliminate potential weak points.
While conducting a cybersecurity audit, whether you start with your encryption protocols or testing employees’ knowledge, use the FFIEC's Cybersecurity Assessment Tool. To use it most effectively, make sure your practices align with basic cybersecurity requirements.
Perry Zheng, former software engineer and founder and CEO of real estate syndication platform Cash Flow Portal, says, “Most medium-sized banks fail to link their cybersecurity with cyber compliance.” If you’re following cybersecurity practices that don’t match your required compliance, “it can be difficult to respond to exams and audit requests.”
And if you do have to go through an audit, violations can be costly — especially if you don’t take corrective steps. You could incur fines from the NCUA, FRC, OCC, or FDIC. No matter which organization is coming after you, their fines can render your bank, well, bankrupt.
How to fix it: Leverage the information included in the FFIEC’s Cybersecurity Resource Guide for Financial Institutions to find both paid and free assessments and tools to evaluate your cybersecurity practices for compliance. Document your findings and make changes if you find weak points or violations. If a cyberattack does occur, you can use your records to show that you were following best practices for financial institutions — not just generic cybersecurity protocols.
Cybersecurity is not a budget line item to second guess.
The sheer volume of cyberattacks on banks might drive you to hire third-party security providers. The pricing model for security packages often depends on the number of systems covered. To keep costs affordable, many vendors — and even banks — suggest covering only "critical" systems.
But for financial institutions processing thousands (or millions) of records containing sensitive data, every system is critical. Cybersecurity corners should not be cut, especially for organizations as highly targeted as financial institutions.
How to fix it: Whether you're working with an in-house security team or a third-party vendor (or both), don't let cybercriminals catch you exposed — make sure you're covered everywhere. Has your cybersecurity spending actually decreased recently? Leaving a "non-critical" system unmonitored to cut costs could be just the open (vault) door a hacker is looking for.
Even the most sophisticated cybersecurity system needs a basic foundation to stand on. Educate customers and employees about the importance of cybersecurity and the consequences of cyberattacks. Anyone connected to a bank should be vigilant about preventing cyberattacks; people can be your greatest weakness or your greatest strength.
And then, make sure your products or solutions, partners, and processes follow the same cybersecurity standard as your organization. Every product or solution you use, vendor you partner with, and protocol you follow should comply with FFIEC standards. Whether you run a small local credit union or an international institution, you should always be on the lookout for cutting-edge tech and groundbreaking cybersecurity solutions that will reduce risk and mitigate damage.
Prepare for the worst by running this cyberattack simulation exercise for banks.
If you need any more convincing to stay on your guard — read about the true cost of a data breach.
Have you already become the unfortunate victim of a cybercrime? Learn what bank CISOs should do after a data breach.