There’s no better way to describe the current state of cybersecurity than to use the words of FBI Director James Comey: “There are two kinds of big companies in the United States—those who’ve been hacked, and those who don’t know they’ve been hacked.” This certainly holds true for financial services institutions. Although all large corporations are vulnerable to cyberattacks, the banking sector leads the way, with almost 20% of all targeted attacks.
Although banks are spending more and more on intrusion detection and prevention, most don’t spend enough time preparing for the inevitable attack. According to a recent study from NTT Group Security, 74% of large organizations do not have a formal incident response plan. That means three out of four companies are not equipped to manage the fallout from a cyberattack.
So, what can companies do to properly prepare themselves? Based on our experience helping many of the largest financial service organizations in North America combat this threat, we advocate a three-step approach: prevent, prepare, and respond.
The first thing to understand is that you don’t have to go it alone. Managed security services providers offer security monitoring, device management, and global threat services that can augment what your internal security team is doing.
In addition to seeking appropriate outside help, you should be aware of security best practices:
- Third-party management. Banks must pay particular attention to third parties. Self-certification is no longer the answer. You’re as responsible for their security processes as they are.
- Segmentation. Too many institutions have a “flat” infrastructure that makes it easier for a hacker to work across the environment. Segment the network so that critical data and systems are effectively segregated.
- Patch updates. Sounds simple, but many identified attacks could have been thwarted had vulnerability management programs been current. Over the past year, more than half of successful breaches were against vulnerabilities that were more than two years old.
At the same time they are doing everything possible to keep the intruders at bay, companies should be preparing for an intrusion. Breach response teams (BRTs) need to be formed and mobilized, and breach response plans (BRPs) should be created and tested, much the same as DR or BCP plans.
A breach has happened: what are you going to do? Enact your response plan, of course. Every effective BRP has some variation of the following:
- Contain. Stop the exposure, assess the impact, notify appropriate law and regulatory parties, and preserve the evidence.
- Respond. Once the exposure has been identified and remediated, normal business systems should return to full operations with heightened security awareness. Communications is key at this point, with a high level of coordination to customers, employees, media, government, and regulatory agencies required.
- Remediation. First and foremost, make your customers whole. Whether it’s through new cards, free credit monitoring, or fee refunds, you must regain the trust of your customers.
- Post-breach activities. Modify the BRTs and BRPs based on the incident and your response. These are iterative processes (hopefully not too many iterations), and every lesson taken from the breach must be incorporated into the baseline for future prevention, preparation, and response.
No company wants to deal with the painful and costly ramifications of a breach, but focusing all your efforts on prevention means you’ll be unprepared if an attack occurs. Continue to do your utmost to prevent attacks, but be sure to invest in a robust response plan to minimize the damage if/when the worst happens.