We all know that every company in every industry faces the prospect of a cyberattack that poses a threat to their data security. And we all know that the likelihood of an attack — ever more sophisticated attacks, too — is growing every day. Banks, of course, are high value targets for cybercriminals; one, they gather and manage tremendous amounts of customer personal data and two, in the event of a ransomware attack, banks have the wherewithal to meet a cybercriminal’s ransom demands.
The epic problem that cybercrime poses to banks, and their customers, couldn’t have been made more clear than by an article I read (and you probably did, too) just a week or so ago in American Banker. The article reported on the 10 biggest financial data breaches of 2022. This year, apparently (and frighteningly) the number of consumer records leaked in breaches globally exceeded 254 million, 9.5 million of which were reported by U.S.-based financial institutions. Flagstar Bank is one institution that made the list and is now facing multiple class actions lawsuits as a result of more than 1.5 million customers’ names and social security numbers being exposed.
The bank is, in response, “offering complimentary credit monitoring services.” I remember receiving a similar offer when an institution with which I’d been doing business notified me that some of my PII (Personally Identifiable Information) had been exposed in a security breach. I can’t say I was very pleased when I was told that I now qualified for one year (imagine that, a whole year!) of free credit reporting so that, and I’m paraphrasing here, “I could check on my credit report regularly in order to spot any “irregularities.” Needless to say, I have bid a not-so-fond farewell to that provider, never to return again.
I know that protecting people’s personal information is hard. But, let’s face it, there are lots of steps that organizations that handle PII can do to make sure that it stays secure. Some are even fairly easy and inexpensive to take.
For one, be careful about email. Why? Because most banking data breaches can be attributed to an email or “social engineering” attack that involves ransomware or malware. In a social engineering attack, the hacker uses email to “phish” for information from employees by fooling them into providing proprietary information such as network login credentials. They do this by creating emails that look official, replicating the exact format of the emails that employees regularly send and receive. Often the email will come from (or seem to, anyway) an individual within the company with some authority, lending even more credibility to it.
There’s a reason why phishing and social engineering are as prevalent as they are — they work. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike. In fact, the World Economic Forum Global Cybersecurity Outlook 2022 points out that a staggering 95% of data breaches are due to human error. What can banks do — at least as a relatively easy step — that can prevent the kind of cyberattack that leads to significant penalties, customer loss, and brand damage? For starters, educate your employees, create and maintain a culture built around security, and lastly, put into place the processes that can help eliminate the likelihood of human error.
Of course, external bad actors and human error aren’t the only factors that contribute to data security risks. The infrastructure of today’s bank hinges upon a hybrid workforce across various locations, as well as cloud solutions such as DropBox® and OneDrive™. These quick-and-easy-to-implement solutions were largely put into place during the pandemic and were intended to help a virtual workforce communicate, organize, and stay productive — which they did. The unintended consequence, however, is that these individual locations, devices, and applications have exposed the bank’s data to even greater security and compliance risks by creating a multitude of “endpoints.” Each virtual office location and user constitutes an endpoint, with each endpoint serving as a “doorway” through which employees access corporate data. Unfortunately, these endpoints also serve as doorways through which cybercriminals can enter the institution’s network and steal customer data. For this reason, employees must be judicious in their use of unsecured applications or personal devices that fall outside the purview of the organization’s IT department.
As cyberattacks grow in volume and complexity, banks must give serious consideration to the new breed of cybersecurity technologies available to them, such as those powered by Artificial Intelligence (AI) and Machine Learning (ML). AI and ML are now, for many institutions, playing an increasingly critical role in securing data by facilitating the detection, protection, and response time to a cyberthreat. The reason is simple: AI technologies can either augment or supplant the “human touch” that can often be the cause of a data breach. For example, say your entire team is logging into the network for some type of online event or session. Sessions like these can be “hijacked” by a cybercriminal using stolen credentials. Not with AI, however. By supplementing the human verification process with AI-powered behavioral biometrics, each network user’s level of risk can be more accurately, and efficiently, assessed, and if needed, additional verification steps can be taken to secure the session. AI is beneficial in other ways as well. In the event of a successful attack, for instance, AI-powered solutions can significantly reduce identification and containment times, both of which cause costly downtime.
There is no doubt that cybercrime is with us for the long term, (which is why we’ve created a campaign focused on the upcoming Data Privacy Day on January 28). Securing data must be a priority for banks, and it can start very simply… with culture and training. Since the vast majority of data breaches can be attributed to human error, keeping your employees vigilant could save you from high-ticket fines, lost customers, and irreparable damage to your reputation.
About Bank Marketing Center
Here at BankMarketingCenter.com, our goal is to help you with that topical, compelling communication with customers; the messaging — developed by banking industry marketing professionals, well trained in the thinking behind effective marketing communication — that will help you build trust, relationships, and revenue. In short, build your brand.
To view our marketing creative, both print and digital – ranging from product and brand ads to social media and in branch signage – visit bankmarketingcenter.com. You can also contact me directly by phone at 678-528-6688 or via email at nreynolds@bankmarketingcenter.com. As always, I welcome your thought on the subject.