3 steps for achieving true cyber resilience in banking
In the third blog of our cybersecurity series, you’ll find out how your bank can continue building its defenses and improving cyber resilience with tips from CISO Brian Vlootman.
by Brian Vlootman
Introduction
Cybersecurity basics just don’t cut it anymore. Of course, that doesn’t mean they’re not important. But in order to achieve true cyber resilience — which IBM defines as “an organization's ability to prevent, withstand, and recover from cybersecurity incidents” — your bank will need to go a little deeper. And I’m here to help you figure out how.
In this blog, I’ll share 3 critical steps that will help your bank on your journey towards true cyber resilience. They’re not all-inclusive, of course, but they’re a great starting place for your bank, allowing you to continue building your defensive capabilities and establishing a framework for cybersecurity excellence.
1. Engineer for detection
The best way to improve your cyber resilience is to increase your ability to detect a compromise as early as possible. Even the best defenses in the world will someday be breached, and as they say, there’s only two groups out there: those who have been hacked and those who don’t know they’ve been hacked.
One important metric to track is dwell time, meaning the time between the initial compromise of your systems and eventual detection. We’ve come a long way in recent years, as this number used to be measured in months. Thankfully, the average dwell time across the finance industry is now measured in weeks, according to a 2024 report from Mandiant. But don’t get complacent — take care to continuously build your detection capabilities so you can respond quickly and effectively.
With that in mind, cyber resilience goes beyond avoiding application vulnerabilities. To become secure by design — which you’ll learn about in my next blog — you’ll need to understand how solutions are used in production and what “normal” should look like. After that, you’ll be able to ensure the application logs the data you need so you can build actionable alerts. Unfortunately, this isn’t something you can typically do in an effective way after your solution is already running. The application itself has the best context to flag abnormal behavior, meaning you’ll get the most actionable alerts by making sure detection engineering starts the moment you design the software. But let’s come back to that in the follow-up blog.
2. Reduce the blast radius
When it comes to cyber resilience, it can be extremely beneficial to assume you’ll be compromised. If you can put yourself in an attacker's shoes and think about what they’ll be able to do once they compromise a component, you’ll stand a much better chance when you’re eventually under threat. Unfortunately, in most environments, the mindset is focused only on keeping attackers out, and as a result, there are very few restrictions on the network for internal components. To put it simply, that means that once one component is compromised, the others usually fall shortly after.
It will go a long way if you can make sure that every component is restricted to allow access to other components only when there’s a legitimate reason to connect. You should strongly consider restricting access on the network and making sure applications don’t connect with more privileges than strictly necessary. That will make it harder for an attacker to operate in your environment without being spotted.
In doing so, you’ll significantly reduce the “blast radius” of an attack, so to speak, and make it easier to catch the attacker early on. If you get a high-fidelity alert about a network policy violation, that’s a good indicator that something bad is going on. Thankfully, you’re unlikely to receive false positives this way, so you shouldn’t be afraid to get your Chief Information Security Officer (CISO) involved in these cases, as they can be extremely serious.
3. Build a defensible security architecture
And on a similar note, you’ll also want to put as many barriers up as you can within your banking systems, preventing an attacker from operating in your network without restrictions. The goal is to do whatever you can to make it easy for the defenders to spot an attacker — while making things harder for the attacker. Remember, the entry point they managed to compromise isn’t always their real objective. A single compromised system can be a gateway to other systems that are more valuable to the attacker, so also be careful about deciding the attack is over. In some cases, the initial threat may only be the beginning. I think we need to realize that we’re continuously under attack, which makes it especially important to think ahead about how we can best set up our environment to eliminate or mitigate threats.
And believe me, the consequences of not planning ahead can be serious. Consider Equifax’s 2017 cyberattack, which affected 147 million customers — almost 40% of the U.S. population — making it one of the biggest data breaches of all time. After the attack, the company discovered that it had failed to segment its ecosystem, so attackers were able to seamlessly access multiple servers, after they had gained access through a web portal breach. This significantly widened the breach, leading to the theft of sensitive data, which included credit card numbers and social security numbers.
On the other hand, if you assume you’ll be infiltrated and put a defensible security architecture in place, your bank will stand a good chance of preventing the attack from spreading and you can minimize the impact of the incident. In a restricted environment, attackers can only do so much, and they’re unable to move around with impunity, giving you a fighting chance at keeping the damage to a minimum. Implementing zero-trust principles will help you reduce the risk of a breach — by being able to detect them more quickly when they occur. And don’t forget to consider using AI to complement your detection controls, since it can determine what normal behavior looks like and alert you when they’ve gone beyond that.
Boosting cyber resilience with a platform model
I hate to break it to you, but no legacy system in the world can help your bank achieve true cyber resilience. These outdated, siloed systems simply aren’t equipped to address the new kinds of threat we’re seeing on the market, and they leave plenty of vulnerabilities to exploit. Keep in mind that it only takes one gap in your bank’s defenses, and it’s never possible to patch them all. Luckily, there’s plenty of emerging tech out there to combat attackers, but your legacy systems simply aren’t up to the task. But don’t worry, there is a way to build cyber resilience while rapidly modernizing your bank’s tech infrastructure and overhauling the customer experience, which I’ll explain in the final blog in this series.
In the final blog in this series, I’ll explain the virtues of a unified platform model and explain how boosting cyber resilience and a rapid tech modernization can go hand-in-hand. Check it out to find out how to take a giant leap towards shoring up your bank’s tech defenses.