3 tips for improving your bank’s cybersecurity
In the second blog of our cybersecurity series, you’ll learn how developing a system for education and incident response can bolster your bank’s cyber defenses with tips from CISO Brian Vlootman.
by Brian Vlootman
Introduction
Unfortunately, no matter what protections you put in place, there’s simply no way for your bank to entirely prevent cybercrime attacks.
As I established in the first blog in this series, cyberattacks are getting increasingly sophisticated — thanks in large part to the development of generative AI — which, for example, makes it practically effortless to assume a fake persona. That means the things that used to work for your bank in the past may not work in the future, and you need to be prepared.
But how do you get started and what things should you be paying attention to? In this blog, I’ll share 3 key tips for improving your bank’s cybersecurity, which will allow you to create a solid foundation for your journey towards true cyber resilience.
1. Boost security awareness
Proper training is essential, not only for your internal staff, but your bank’s end-users, as well. Never underestimate how important security awareness is. It can make all the difference when, for example, a customer receives a fraudulent call from someone who claims to work for the bank.
Remember that humans will always be the top attack vector in any cybersecurity program, and data backs this up. According to a 2024 report from Verizon, some 68% of breaches involve a non-malicious human element, including phishing and social engineering, and that’s why education is key. As a bank, you can always position this information as valuable advice, something your customers can practice in their day-to-day life to defend their privacy, as well as their sensitive information.
Unfortunately, training isn’t enough on its own. In the end, your bank’s end-users are just trying to accomplish a task, and technology is failing them. That’s why you’ll also want to invest in tech that helps to identify AI-generated responses and provides insights into each end-user’s normal range of behavior. With this kind of behavioral intelligence, you’ll be able to more easily separate legitimate activity from suspicious activity, giving you signals that you can act upon to shore up your defenses.
2. Minimize credential/token theft
Although cybercriminals now have access to a wealth of cutting-edge tech, their methods of attack aren’t always that sophisticated. That’s why credential and token theft continue to be the main methods for taking over someone’s account or otherwise compromising your banking systems. And with an estimated 22.62 billion credentials stolen in 2022 alone, according to Flashpoint, the odds that your bank’s customers could be targeted is probably higher than you might expect.
To put it simply, we can do better as an industry. The new standard out there is a passwordless approach — like Fast Identity Online (FIDO) — that not only improves your bank’s security but also provides a superior user experience. But maybe it’s not possible for you to implement this system for all users, that’s understandable. However, if you can transition 80% of your end-users into a passwordless model, you’ll significantly reduce your attack surface, as well as the risk of compromised credentials.
And to touch on a related issue, the mere possession of an access token should never be enough to perform sensitive actions in the first place. You might also consider taking advantage of emerging standards for mitigating the risk of stolen tokens, particularly Demonstration of Proof-of Possession (DPoP). That will give you a way to bind a token to a specific device, giving you more data points to make an informed decision about your cybersecurity measures.
3. Mitigate supply-chain risk
The question you need to ask yourself is how well can you trust your external vendors? It’s important that they not only understand the tech they’re using, but that they can also properly secure it. So, when you’re establishing a relationship with a new vendor, be sure to ask them whether they have a robust, secure-by-design approach to their software development lifecycle (SDLC) and if they are able to quickly detect when there’s been a breach. Some basic, up-front questions can go a long way here, and even asking about their approach to zero-trust principles can help you benchmark whether they take security seriously or not.
And to truly mitigate the supply-chain risk to your bank, you’ll want to move beyond limiting security questionnaires. When working with vendors and solution providers, banks typically provide these questionnaires, which often have hundreds of questions and take days to complete — and longer to review. First and foremost, these are not a smart use of your time, nor are they effective in combating security threats. Also keep in mind that what’s true today may not be true tomorrow, making these questionnaires a massive time sink and far from the best use of your time. Questionnaires are so time consuming, in fact, that they’ve led to the birth of an entirely new industry: security questionnaires-as-a-service. That’s a pretty clear indicator that they’re not a smart way of working.
Instead, I’d recommend using your resources to gain a deeper understanding of what each component or integration is doing, what data vendors have access to, and what normal vendor behavior looks like. Be proactive, and remember that trust is not enough. You need active measures you can control, and few banks out there are doing this. Threat modeling and build detection can go a long way towards ensuring you’re protected from attacks on the supply chain.
So work alongside your bank’s providers to establish transparency, but also put monitoring and detection processes in place, because you may have a good relationship with them, but are you fully aware of every company they work with? Probably not, and that’s why you need to be prepared. The “domino effect” is a very real thing in cybersecurity, and a single breach down your supply chain can have a massive impact on your banking systems, so don’t take these things lightly.
Boosting your bank’s cyber resilience
But on top of these basics, you’ll need to build cyber resilience, allowing your bank to continue operating effectively, even during a cybersecurity crisis. In the next blog in this series, I’ll share 3 key steps to help you pull this off, allowing you to use the foundation you’ve built here to further improve your bank’s overall cyber resilience.