The Everchanging Landscape of Financial Institution Security

by Blair Rugh

As you read this article recognize that the writer has the technical expertise of a parakeet.  Actually, because I worked for a bank automation company for about 25 years I do have some knowledge about the workings of technology in a financial institution, but I still have to get help from my ten-year-old grandson to figure out how all of the functions on my iPhone work.  I also know that there is someone out there with evil intent who is a lot more technically proficient than you are and probably more technically proficient than anyone in your organization.  If a hacker can break into the electronic files of the government and some of the largest companies in the world, all of whom have the most sophisticated security available, your organization is fair game.

Virtually everything that a financial institution does has a risk to it.  The business of banking is the business of taking and managing risk. Every risk that a bank faces should be evaluated based on two factors: one, the probability that the event will occur and two, the damage that will ensue if the event does occur.  I have no idea what the probability is of your systems being invaded, but I do know that if they are the damage could be astronomical.  Let’s say that a hacker is successful in placing a virus in your systems that shut them down. Would you pay a $1 million or $10 million ransom to get rid of it? Think about that for a moment.

For many years it has been my business to advise financial institutions on issues relating to compliance with the federal regulations.  Many bankers think that compliance with the federal regulations is the biggest risk that their institution faces.  I am not sure that is correct, but it certainly is a significant risk. First, its probability is very high. It is virtually impossible to comply with every regulation every time.  On the other hand, the damage from a compliance violation is normally pretty insignificant unless the violation is really egregious (think Wells Fargo).  Criticism or a slap on the hand from an examiner or even a small fine is disconcerting but it is not going to change the course of world events. However, the shutdown and lock up of your automation will change the course of events, at least for your world.

Historically bank security dealt only with the threat of a robbery or theft.  The issues were whether you had adequate locks on your doors and windows, procedures to follow in the event of a robbery and bait packs in your teller drawers.  Then as robberies became more frequent we put bulletproof glass in front of our teller windows

and we thought we had the security issue solved. And for a while, we did, until computer hacking became a widespread and profitable business.  Now there are websites that teach the uninitiated how to do it.  As we give our customers more and more electronic access to their accounts, whether it is with a smartphone, a wristwatch or a chip implanted in their brain, the risk of a security breach will increase in magnitude. Open access to systems is an anathema to system security.

So what is a  guy or girl to do? My best advice is to get assistance from someone with experience who really understands the problems and knows how best to solve them.  If you cannot identify and appreciate the problem the odds are pretty good that you will not be able to solve it. In most institutions, the greatest threat is the institution’s employees unwittingly giving access to an intruder.  If your employees have not been trained on what to look for and how to react when they see something suspicious, your institution is like a duck sublimely flying into a set of decoys just waiting to get shot.

Rule one: GET HELP.  
Rule two: GET HELP.  

Also, recognize that your institution’s security is not the only security issue that you face.  Many banks are now reviewing the security programs of their significant borrowers where a security breach could damage the borrower’s ability to repay.  Financial institutions should also consider the security of their mission-critical vendors. If for example your data processor is hacked, the impact on your organization could be worse than if you were hacked directly.  

Technology is changing so rapidly it is almost impossible to keep up with what is happening.  What was the cutting edge yesterday is a pretty blunt knife today.  Recognize that when every employee has a computer on his or her desk, security is an institution-wide issue. Few financial institutions have the resources to adequately assess their security and implement the changes necessary to protect themselves.  In all likelihood information security is now the greatest risk in most organizations and it should be treated and managed accordingly.  Where experts are needed, call in the experts.