Recent cyberattacks have disrupted some of the world’s leading organizations including drug companies, shipping firms, and even the British national health care system.  

The intensity and success of these attacks make them among the most significant calls to action that other high-profile organizations, such as financial institutions, have ever faced. The malware involved could affect any FI, at any time, running any kind of software.  And while larger FIs are generally among the most sophisticated organizations when it comes to cybersecurity, smaller FIs are undoubtedly at risk.  

But before broaching an internal conversation about security, network defenders and executives at smaller FIs seeking budget still have to level set the expectations of shell-shocked peers, ask the right questions, and create a plan for the future.

  • What are your current tools, techniques, and procedures: There’s a natural response from the CFO who has only read about security over the past several months, ‘How do we fix our Ransomware problem?’ One virus isn’t some security incident where intangible information was copied and siphoned off. There’s an associated cost related to the threat.  I mean, the marketing guy just lost all of his PowerPoints.  Despite the outcome, each is part of much more systematic failures. That means executives both inside and outside of IT must begin reviewing the bank’s current tools, techniques, and procedures tantamount. To start: 
    • Does the company allow its employees to use the same credential reuse for support (think, HelpDesk) that they do for use for email, or other business critical applications? 
    • Are employees network privileges limited on their machines? 
    • What’s our process for patching and updating software? Are those updates automatic? And, if so, on what kind of devices?
    • What machines are backed up? How often? And across how many different, segmented networks? 

The list could go on. Maintaining the security of a corporation takes a multi-pronged approach -- policy, technologies and people, all working together. Remember to remind the CFO: Ransomware -- including the self-propagating worms he’s been reading about in the news -- is just a symptom of a much larger disease.

  • Craft the narrative; Review the Data: That data can be requests to the IT Staff, logs of network or email traffic, or even information from the company’s web proxy.  It shouldn’t be gleaned from Twitter (shout out, @SwiftOnSecurity)
    • If most of your data is coming from the helpdesk, you have a serious visibility-into-your-network issue. 
    • If the logs are there, but no one is proactively identifying issues, you have a people-power problem. 
    • And, if you no one knows where to start, well, you’re in danger of going out of business.

Ultimately, ask: What is affecting US, and what is the rate at which potential threats are being quashed? All this gets a bank’s security staff closer to asking for specific tools, such as Security Awareness Training or new endpoint protection software. Outsourcing your security and using something as simple as Google’s G Suite might also make sense. 

  • What’s your bank’s cybersecurity, disaster plan: Your office has a plan in case of a fire, but you might not have any long-term planning at the ready in case of a security incident. 

In the wake of the WannaCry attacks, automated teller machines overseas were shut down. In fact, roughly seven out of 10 ATMs in India didn’t work after the ransomware jammed up the devices, according to reports. Such dangers might be part of the reason why the FDIC recommended banks create disaster plans for cybersecurity threats

These responses to risk could take the form of a “business-continuity exercise,” said an agency "Supervisory Insights” published in the Summer of 2015. Think of it like a fire-drill, but for spear-phishing. 

Still, with every IoT disaster and widespread cyberattack, security experts are sure that boardrooms and executives atop large and small companies, alike, will take such threats seriously.

Yet machines go unpatched. Security, in many enterprises, remains an afterthought. Innovations in cybercrime are making hard conversations about security easier to have.


About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!