Cybersecurity is hard. The odds are against you from the beginning, requiring the defenders to get everything right 100% of the time and the attackers needing only one lucky shot. Cybersecurity in banking is even harder. Cybercrime is a business, and cybercriminals are usually motivated by money. This brings us back to notorious bank robber Willie Sutton who, when asked why he robbed banks, simply replied, “Because that’s where the money is.”
The criminals will try to steal money directly and through fraud. They will try to extort money by encrypting critical parts of your network, holding it hostage, stealing sensitive data — such as employee or customer data — and threatening to publish and sell the data if you do not pay a ransom. Smaller and mid-size banks are as much of a target as any because the criminals know they usually have fewer resources for cyber defense.
Even worse, cybersecurity is not a static problem that can be fixed, like a technical glitch such as Y2K; instead, it is more like warfare where an active adversary is continuously attacking and every time you implement new defenses, they counter by adapting, changing tactics and finding another way to circumvent those defenses. This means there is no such thing as being completely secure — ever. Even really good security is not permanent because what is effective today will likely not be effective in a month, six months or a year from now.
I apologize that this is not a pleasant “feel good” message, but it is the reality, and the only way we can fulfill our responsibilities to our customers, employees and organizations is by having a realistic understanding of the challenges we face because there are many things that can be done to become much harder and resilient targets.
In my role as breach counsel, I have advised on thousands of cyber incidents and hundreds of ransomware attacks over my career. Being in that detached role, seeing the overall process from a strategic vantage point, that perspective has shown me several things that organizations could have done differently to have avoided those situations. These observations are not a regurgitation of a standard “Top 10” list of security controls and, because those are readily available, will try to avoid those typically included. Nor are they intended to replace or minimize the importance of those controls or other technical processes and tools because they are absolutely essential. On the contrary, they are intended to augment or restate those from a different perspective than sometimes comes from the more technical-focused security professionals.
- Cybersecurity requires an ongoing and continuous process. Cybercriminals are continuously adapting and changing their tactics. The only way to defend is to have an ongoing process that is evolving and maturing with them.
- Risk assessments are essential. All organization’s risks are unique and depend on a multitude of different factors. Because you cannot protect against what you do not know, you must have an understanding of your unique risks, not only from a technical standpoint but also from an overall organizational risk perspective. This risk assessment is essential for prioritizing mitigation efforts.
- Data governance is critical. Your objective includes protecting customer data. This means you must know what customer data you have, not collect or maintain more than is needed, and when you no longer need it, securely archive or dispose of it. Data equals risk. If you want to reduce that risk, reduce the data you have available to criminals. The same principles apply to employee data and other forms of sensitive data.
- Cybersecurity, and especially compliance, is a legal issue that requires a thorough understanding of the laws and regulations that are applicable to your organization. Do not forget about your contracts. Many organizations have far more “laws” governing them through their contracts than from any other source.
- Your organizational risk assessment should include third parties you rely on for services or that have your sensitive data. As the Colonial Pipeline attack showed, a successful attack on one service provider in the energy sector shut down all organizations relying on its services. The same thing just occurred with the attack on Change Healthcare, which impacted all of the organizations relying on its services. The financial services sector is due for a similar attack. What service providers does your organization depend on, and how will you continue to operate if something were to happen to them?
- Your organization must have a team-oriented approach to managing cyber risk, both internally and externally (with the partners you rely on or will rely on if you have an incident). Cyber risk is an overall organizational risk, not just an “IT risk,” and your team’s different perspectives are invaluable. At a minimum, your team should include members who focus on information security, information technology, legal, compliance, privacy, audit, risk, operations, human resources and communications. For smaller organizations, one person may fulfill many of those roles, and that is when having external partners with specific expertise can be very beneficial.
Shawn Tuma is an attorney widely recognized in data privacy and cybersecurity law, areas in which he has practiced for over 25 years. He is co-chair of the Data Privacy & Cybersecurity practice group at Spencer Fane LLP and works with clients across the U.S. Shawn can be reached at stuma@spencerfane.com or (972) 324-0317.