Self-Assessment: How Can You Improve Financial Services Cybersecurity?

April 25, 2021
| |
6 min read

It’s common knowledge that threat actors target banks. Not only might these attackers want to directly steal money, by doing this they’re also hitting the customers and the trust in the bank. If a financial institution suffers a loss, even insurance can only go so far to minimize the actual cost to the organization. The cost gets shared and passed on to each stakeholder, and the business model becomes untenable. With the need for security and privacy becoming more apparent, it is up to you to think about how you can improve your financial services cybersecurity posture.

Of course, there are cybersecurity requirements for financial service companies and cyber laws related to banking to ensure the end consumer does not suffer the brunt of the cost when everything is said and done. But banking cybersecurity regulations are not enough. Why? Because even though data may be our most valuable currency today, money is still the next best currency. It’s tangible, it’s needed for trade and without it life comes to a crashing halt. You’ve heard it before and you are going to keep on hearing it: financial cybersecurity is all about risk management.

The Tough Questions for Financial Services Cybersecurity

When it comes to financial services cybersecurity, like any other security, you need to be honest with yourself. You can rely on outside help, but like any improvement, you need to begin and end from within. Before you begin any type of self-assessment, you need to ask yourself these three questions:

  • Are you really willing to change what you’ve been doing?
  • Can you think of a better strategy or idea than the status quo?
  • Can you execute on your chosen solution?

These three questions are core to how you will manage your cybersecurity challenges. For the purposes of this exercise, let’s assume you truthfully answer yes to all three questions. What are the next steps?

Here are five questions that can help guide you. The beauty of these questions is that they are not temporal, so even as financial services cybersecurity evolves, you can ask yourself these questions on a regular basis and they will still apply. They’re also useful questions to bring up at each quarterly board of directors meeting.

Moreover, the questions are designed to be answered in a very simple yes/no format. You can make your own decision about what a good score is — remember, it’s all about risk management — but a friendly note: if you are not hitting five out of five, you may have some work to do. And remember, you’re only cheating yourself if you are not being sincere about these answers.

Question 1: Do We Have a Genuine Understanding of Our Risk Posture?

On the surface, this question seems easy to answer. It’s not. Knowing your risk posture means you have made a thorough assessment, and this is not exactly the easiest task. If you do not have the best knowledge of current and future cyber threats, this is where you may need some outside help. Don’t try to fake this, because it’s the key need for financial services cybersecurity. This is just a very short list of the types of questions that need to be asked:

  • Are you a target for nation-state actors?
  • Are you aware of who is bashing on your network?
  • Are you at risk of falling out of compliance with the law or regulatory bodies?
  • Do you know where your data is?
  • Are you thinking about data management through the entire lifecycle?
  • Do you have supply chain issues?

There are so many questions here. If you’re not sure where to start, get some outside help to at least point your boat in the right direction.

Even if you have the smallest doubts, score a ‘no’ here.

Question 2: Are We Stress-Testing Our System Often?

Risk assessments and pen tests are coming down in price. In some cases, depending on how complex the work is, these services are reaching commodity pricing. You must do this work on a regular basis. Depending on the type of data you are holding (in the case of financial services cybersecurity, money) and the amount of risk you are willing to take on, risk assessments on a quarterly basis are helpful. This is even more relevant if you can get them done at a good price.

Depending on the size, structure and complexity of your business and the data you hold, you may want to retain an outside firm to conduct ongoing pen tests. (This would likely be reserved for the larger enterprises.) Or, you could set up regular tests, such as every six months.  Modern day reliance on tech makes these tasks mandatory. Treat them as a way to maintain good cyber hygiene.

It’s tough to score a ‘yes’ here, but if you do, good on you!

Question 3: Is Our System Capable of Meeting Today’s Challenges and Adaptable to Tomorrow’s?

Don’t be fooled: what is good enough for today may become obsolete tomorrow. Therefore, be ready to adapt.

The best way to ensure you are meeting today’s needs and ready for tomorrow’s is to take a security-by-design approach to your designs. NIST SP 800-160, which applies to general security as well as financial services cybersecurity, gives you a great road map about issues you need to think about when designing your system.

Keep in mind, as we further progress into a mobile-heavy work environment, the threats and risks are changing. The impact of a breach can become that much more profound.

If you’re good for today, but not ready for the near term (think next couple of years), score a ‘no’ to be safe.

Question 4: Do We Have a Truly Security-Minded Culture?

You can say you do, but do you really? Some could argue a security-minded culture may teeter on paranoia. But is it really paranoia when it’s really happening? Our online behavior is changing, ever evolving, and quite reliant on being connected. For this reason alone, you need that culture to drive financial services cybersecurity. Monitoring and next-generation tools, such as artificial intelligence, will take you far in your security battle, but your backbone will always be your people.

If your people are buying in, you’re in a good spot. A couple of semi-annual or annual training courses and phishing attempts are not enough. Your people need to understand why a culture of security is not just critical to the organization’s cybersecurity success, but overall success.

If that why question hasn’t been answered throughout your leadership, employees and even third parties, score yourself a ‘no’ here.

Question 5: Are the Right Resources, Human and Financial, in Place for Success?

Money can solve a lot of issues and get you a whole bunch of great toys. But, if you don’t have the right people, you’re going to have a roadblock that, at best, slows you down and, at worst, derails the best-laid plans.

As noted in question 4, you need to make sure the message of good financial services cybersecurity is being conveyed across your entire stakeholder group. It must be appropriately communicated throughout the organization, small or large. To be more specific, you need talent that has that sweet spot mix of business, tech and interpersonal skills. It is very hard to find these people, so once you get them, make sure you don’t lose them. They are hard to replace, and they are your champions.

Don’t be discouraged by this step. Given the demands of the job and the competing challenges for finances, many of you may answer ‘no’ here. All that means is it’s just something you have to work on. Remember to come full circle and go back to question 1: is your risk assessment meeting giving you an accurate representation of what you’re facing? If it’s not, everything else you do downhill will be impacted. You don’t need that.

It’s Okay to Score Less than Five Out of Five

Getting five ‘yes’ answers here is no small achievement. In fact, if you are being sincere and honest, it is very hard. Remember, there is no such thing as perfect or total security, including in financial services cybersecurity. Primarily, these five questions will give you a quick snapshot of where you need to focus your efforts.

Perhaps more importantly, the five questions outline important markers you can discuss with all your stakeholders. You do not need to be a tech whiz to understand the implications of a ‘yes’ or ‘no’ answer to these questions. They’re reality checks that you can bring up with the decision makers in your organization. Moreover, they serve as springboards to get into deeper conversations.

For example, if you scored a ‘no’ on question 4, it’s time for a serious discussion on how to better communicate your security intentions to your organization. Some of this comes down to human nature: people want to know what’s going on. If you make them a part of the discussion, or at least get them to understand why something needs to be done with some level of specificity, they’re more likely to go along.

Or say you score ‘no’ to the second question. This is the perfect time to bring up annual budgets with decision makers. Explain to them why a lack of investment in these tasks today may just be a deferral of a much bigger cost tomorrow.

Next Steps for Financial Services Cybersecurity

The self-assessment is designed to give you the 30,000-foot view of your risk posture when it comes to financial services cybersecurity and beyond. An honest assessment won’t solve all your problems, but it sure will put you on a good path to solving them. There’s one important caveat: answering ‘yes’ to the first three questions. These are the gut check questions to ensure you’re serious about whatever comes next.

Kill the noise and get to problem solving. The K.I.S.S. method works, especially when your challenges are so complex.

George Platsis
Senior Lead Technologist, Educator and Author

George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
read more