A recent study of banks conducted by Integris, an IT service manager, revealed that only slightly more than half (53 percent) of bankers believe they are spending enough on cybersecurity, while one in five think they spend too little. The survey was drawn from 2,271 executives at U.S. banks.
The study is full of interesting tidbits concerning bank tech and cyber security. One out of five executives expect to increase IT spending in general by 20 to 49 percent. Not a single bank plans to reduce its spending. Forty-seven percent of banks cannot say they are confident in their cybersecurity investments but do say they’re satisfied with their existing cybersecurity program. And, according to the survey, 30 percent of banks rank cybersecurity as a top priority for IT spending in 2024.
I spoke with Jeremy Pogue, director of security services at Integris, about the subject of security.
Security issues are perennial — what do you think makes banks’ investment in security fluctuate?
Jeremy Pogue: Security as a whole is very cyclical and reactionary. This, coupled with a bank’s desire to get more ROI on investments, leads to spending in chunks rather than a consistent baseline. This means bankers will spend heavily to mitigate risks that are prevalent and then not spend again until new risks are prevalent. This piecemeal approach makes it impossible to create consistency in your cybersecurity program. Financial institutions that make regular investments in cybersecurity can predict and flatten their spend over time, and be positioned to be proactive about the next new threat.
In what ways do banks find their security investments are not working? Any real-world examples of a bank’s firewall letting them down?
J.P.: Human error undermines all investments. This is how they fail. Not having staff or a partner trained on how to properly use the tools leads to poor adoption and implementation. A big example of this was the July 2019 Capital One breach that led to 100 million credit card applications/accounts that were hacked. A firewall was misconfigured, leading to the leak of data. A tool that should’ve protected them didn’t, because of human error.
What sort of investments in security have been well received and have worked well for banks?
J.P.: Investing in a holistic cybersecurity program is most often the best approach. There is not just one layer of protection that is the fix or best to get. So, working with a partner to define a platform and framework to build around works the best.
So how do banks work to avoid a staff member leaving a door open to the system?
J.P.: This has to be a top-down mentality. If the leaders are not buying in, then the staff does not follow suit. Working to get adoption of best security practices as well as belief in the training and reiteration of the process is the best way.
What are some best practices for security when it comes to managing employee remote access at the bank?
J.P.: This starts with controlling the device that the employee is using to access the network. This means limiting access to known devices that have security tools on them and that are up to date on patching. Once you have the device secured then you confirm the communication is secure. Using a VPN encrypts the traffic so that the data is secure. The final layer is verifying the end user. Multi-factor authentication is key here. Using a combination of username and password is not enough. You need to add some additional factor such as a one-time code or number matching system to verify the user.
What’s the regulatory front looking like when it comes to security?
J.P.: Resiliency has become the buzzword of late — meaning the ability to recover with minimal impact from as many potential situations as possible. The resilient financial institution has plans in place for every kind of cybersecurity scenario. They test those plans to make sure they are as thought-out as possible. They invest in MFA technology and protect access to critical information as well as personally identifiable information. This is one of the key ways you can prove to regulators that your organization is truly cybersecure and resilient. In the future, we expect their focus will continue in this area, as well as strengthening identity access management.