Banks hitting cyber resource problems

Technology and talent will become major hurdles for banks and payments firms as they continue to keep cybersecurity responsibility in-house, according to security consultants and market participants.

There is a significant lack of capable security practitioners available in the market today, said Andrew Retrum, managing director and US financial services security and privacy lead at Protiviti, over email. “The increase in cyber risks across all industries, visibility and focus at the senior leadership and board level, and related regulations all contribute to high demand for security resources. This far outweighs the current supply.”

James Richardson, head of market development at Bottomline Technologies, says that Tier 1 banks have become targets for criminals both because of the size of the payout for a hacker, but also because they are perceived as digital laggards.

“The irony in this is that Tier 1 banks probably have more people in their security operations than a challenger bank has within its whole organisation. But where their problems lie is in joining the different divisions together – you can have retail versus commercial versus operations and all of them using different systems. Cybercriminals are pretty well versed when it comes to getting in through the gaps.”

For Tim Coates, head of blockchain at Synechron, a challenge for those already working in bank security teams is in keeping up with the latest technology. “Most big financial institutions have both appointed, and trained, experts in these critical areas. The challenge for many is keeping abreast of the latest security best practices and ensuring they are innovating to stay ahead rather than simply to keep up. Banks will typically collaborate in closed forums for information sharing on this non-competitive topic.”

An August survey from US-based TD Bank found that 88 percent of those working in banks and major payments firms believe that their firms should continue to deploy in-house security technology, with half of that number believing their firms should invest in improving dedicated software and systems.

“Banks must maintain full accountability for any security breach, they will be the ones paying the fines and suffering the major reputational damage,” said Coates. “Not the external vendor. So, the banks typically take the view they’d rather rely on their own processes than a 3rd party.

“External vendors create and deploy their security standards and solutions across many firms. They inherently need to circulate information about this offering to some degree to win new business. If this falls into the wrong hands, then potential attackers know the scope of controls and what the need to break into. Much like in a hotel with an important guest would not openly share the location of that person’s room.”

Richardson believes in-house security can be broken down. “It’s a rather broad statement,” he says. “There are some elements of security systems that probably sit better within the company and others that can benefit from being moved to a cloud-based offering.”

For Retrum, banks have traditionally taken a stance that they know their own environments best. “However, most forward-thinking banks have acknowledged the benefit of partners to bring innovative technologies or niche competencies to augment their existing teams.

“Banks and other financial institutions have more mature security programs relative to other industries. This is primarily due to the increased security risks faced within the industry, and the related regulations with which banks must comply. The maturity of individual programs is dependent upon a number of factors, including but not limited to, the amount of (vocal) support from the board of directors and senior leadership, and the long-term investments made in the program.”

Related reading