Chief information security officers at banks say their top priority is keeping data of all kinds (customer, employee, credit, performance, you name it) safe from attacks. They answered candidly when we asked who or what the greatest risks are.
Too Much Data Everywhere
There’s a huge pool of data out there that is hard to protect, and it also provides attackers with lots of ammunition.
“The more data out there, the higher the risk,” says Dominic Venturo, chief innovation officer at U.S. Bank in Minneapolis. “Even with things like PCI, we still see data breaches. We’ve also got this old system of user ID and password and the fact that consumers are reusing that data all over the place. On top of that, even when they don’t reuse them, passwords that are human-friendly are often insecure or easy to guess.”
It’s one of the reasons that tokenization is crucial to mobile banking and the future of online payments, he says.
The Folks Who Work Next to You
Criminals are becoming increasingly sophisticated, and they can mount all kinds of attacks, but banks need to worry most about the inside threat, two officials say. They’re talking about rogue employees, targets of social engineering or phishing, and those who misuse company systems.
“Our employees continue to be our weakest link, and I don’t think that will change,” says Wes Spencer, chief information officer at FNB Bank in Mayfield, Ky. Firewalls, encryption, industry sharing of intelligence and other precautions haven’t done enough. “Even with the controls we’ve built around them, employees remain our most significant threat,” he says.
Landon Ewers, chief information officer at Amalgamated Bank in New York, agrees. “Phishing attempts, often paired with malware designed to extract confidential information or gain access to transactional systems, seem to be the most prevalent,” he says. Banks have to be wary of employees “accidentally or intentionally” exposing information.
Client-Created Vulnerabilities
Just as employees can compromise security unwittingly or no, customers are a backdoor into bank systems, too.
Robert Lubben, chief operating officer at Rabo AgriFinance in St. Louis, Mo., sees “an increasing risk due to our clients, primarily small businesses, not investing at a level sufficient to secure their networks and educate their staff on cyber-related risks.”
Vendor Risk
“For me, data security is threatened both by the amount of data that flows out of our institution to third-party vendors to help provide broad-based services for our members and the fact that most of my workforce isn’t as sophisticated when it comes to IT security,” says Todd McCoy, vice president for finance and risk management at the University of Kentucky Federal Credit Union.
The Multiplicity of Dangers
Keeping tabs on all the different threats coming at banks is the top challenge, according to David Pollino, deputy chief security officer for the Bank of the West in San Francisco.
“If you’re only thinking about one threat, you’re probably being distracted from the overall problem,” he says. “You can’t just be focused on authorized access to information; you have to be focused on unauthorized access to information. You have to be focused on insiders as well as external threats. When you are focusing on control, you need to make sure that your controls are applicable to multiple areas.”