Like many industries, it’s easy for financial services companies to get complacent and fall into lulls. We’ve all been there, you get into a process, you build out the process, you get comfortable with it and you don’t generally question the process.
But we’re living in a new world order when it comes to security, risk, hacks and breaches, spanning cyberterrorism, identity fraud, nation states and the like – which all bring significant and dire consequences for financial services organizations and their customers.
Data has become a commodity – and the reality is that data has a monetary value. Personal and identity-related data has an even higher monetary value. And financial services, whether that’s fintech, banking, credit reporting or others, all possess the highest-grade data available, putting the value associated with that data that much higher.
What boggles my mind is that in this new world order of increasingly sophisticated threats, coupled with the rising value of data, why aren’t more financial services institutions making security a priority, and more so a continual priority since day one? Why aren’t they being more vigilant?
The answer is threefold and it comes down to three big vices plaguing the financial services and the broader business communities:
The reality is that big companies generally don’t move very fast. There’s a tendency not to change things unless they’re broken, and that applies to everything from corporate policies to IT infrastructure. It can be a challenge to rationalize an investment in something that appears to be working well, whether it’s poorly architected or not.
However, as the headlines have shown in recent months, it’s paramount that financial services organizations examine their authentication strategies, their encryption strategies, and their architectural strategies. This involves also putting good “cyber hygiene” strategies into play such as applying security patches and doing the due diligence to ensure architectures minimize risks with data at rest encryption, among others protective measures.
No doubt it’s difficult to try and unwind a systemic culture of inertia, but getting continued investment for systems that just appear healthy may not be the greatest option longer term.
No one believes their company will be compromised, despite the overwhelming odds that almost everyone over time will be compromised. Just like the children of Lake Wobegon that are “greater than average,” many companies believe with confidence that their architecture and security will beat the odds. This is all the more so with large companies with strong track records of success. Again – as recent headlines show – security is not a “fix it and forget it” endeavor.
People in large companies too often want to bury their heads in the sand when it comes to security and risk and think “this couldn’t possible happen to me.”
So where does the responsibility fall when it comes to security? Is it with the CSO? IT? The general manager? It’s really all of the above, in a true security crisis it’s useless to point fingers. Sure, the CSO is often the executive that takes responsibility, but they can’t be expected to defend everything and their budget isn’t limitless.
For emerging financial services institutions, many of which may not have a strong security background, it’s a matter of engaging in a dialogue about what’s truly at risk when storing their customers’ personal information. This includes the holistic architecture that has been constructed and its long-term viability in an increasingly dynamic industry.
Consider the three vices discussed above and have a frank and honest evaluation of whether your financial services organization might be guilty of any of them. Is there a good cyber strategy in place? Are new security patches being downloaded and installed? If massive corporations and credit reporting agencies such as…..well, you know them by now in the headlines….are being hacked and crippled by cybercriminals, what’s to stop your organization from being the next victim? If you don’t want your analytics, trading, or cloud platforms left without solid security, we welcome a deeper discussion around how not to be a #cybersecurity target.