Cyber security’s up to you, banks
Customers fret about breaches, but do little
- |
- Written by John Ginovsky
- |
- Comments: DISQUS_COMMENTS
Bank tech trends can make your head spin. So each week longtime Tech Exchange Editor John Ginovsky does his best to “make sense of it all.”
A new batch of surveys generally comes to the conclusion that consumers and companies are increasingly worried about having their personal financial data stolen by cybercrooks—but still do little to protect themselves.
True, this has been said before. But as the sophistication and sheer numbers of bad guys continue to ratchet up, it’s worthwhile saying it again. This time, though, it’s becoming apparent that:
1. Financial institutions already are the most trusted to protect confidential information.
2. It’s imperative to start taking a proactive rather than a reactive approach to security.
And that’s exactly what Paul van Kessel, global risk leader for Ernst & Young, says:
“Organizations will only develop a risk strategy of the future if they understand how to anticipate cybercrime. Cyber-attacks have the potential to be far-reaching—not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage, and regulatory noncompliance. Organizations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries.”
Research bears out customer disengagement
Scanning current industry literature:
• Online laziness. RSA, a division of EMC—Half of the 1,000 consumers surveyed said they have been victims of a data breach. Yet 45% admit, even with all the news about breaches, that they have not changed their behavior when using credit and debit cards.
And while 71% of respondents say they are most concerned about losing their password in a data breach, nearly a third admit to only having one to two passwords for all online accounts.
• Why should I adapt? TheStreet—66% of the 1,008 people surveyed say they are concerned that their information will be stolen. But only 20% say they would feel more comfortable paying for items with their phone using digital wallets instead of a credit card.
• Spending but not gaining. Association for Financial Professionals—62% of the 970 corporate executives surveyed said their organizations had experienced a cyber-attack in the past 12 months. While 71% say they’ve increased spending to mitigate possible attacks, 60% still rank cyber-risk “very high” or “highest.”
• Failure to keep up. Experian Data Breach Resolution—43% of the 567 corporate executives surveyed said their companies had suffered data breaches in the past year. While 73% said they have data breach response plans in place, 68% said they still feel unprepared to respond to a data breach. In part this is because most haven’t or don’t regularly update their plan to account for changes in threats or as processes at a company change.
• Clueless about cyber risks. Ernst and Young—Of the 1,825 organizations around the world surveyed, 37% have no real-time insight on cyber risks and 53% say they lack skilled resources in their information security program.
What people say about the data
Beyond the numbers it’s interesting what people have to say in relation to their surveys. Here’s a brief collection of comments:
• People aren’t changing. “As the capabilities and convenience of the internet continue to grow, so do consumer security concerns. The results of the … study show that while these concerns are top of mind, behaviors and attitudes of consumers are not changing. It is incumbent upon the industry to deliver on promises of strong and convenient security methods to help customers take advantage of the internet while significantly limiting the risk of threats—both simple and sophisticated,” says Brian Fitzgerald, vice-president of marketing at RSA.
• Unnecessary cash-only paranoia. “Ultimately, the paranoia, the brouhaha, the face-palming, and the consumer fears are all irrational. There’s no need to flock to the cash-only camp. Americans are clearly concerned about using the plastic,” says Ross Urken, personal finance editor for TheStreet.
• You can’t win by not playing. “Beyond internal threats, organizations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture. It’s only by reaching an advanced stage of cyber security readiness that an organization can start to reap the real benefits of its cyber security investments,” says Ken Allan, global information security leader at EY.
• Half-hearted attack won’t win. “While more organizations have data breach preparedness on their radar and have developed a response plan, a majority of companies are not putting the support and resources behind having it truly be effective,” says Michael Bruemmer, vice-president, Experian Data Breach Resolution.
Okay, so consumers aren’t doing what they are supposed to do to protect themselves, and companies in general lack confidence in their own response plans. What’s that got to do with banks?
Banks step forward by default
Plenty. As ABA’s recent infographic on cyber security and data breaches shows, for example, just in the breach that occurred at Target, bankers reported reissuing a combined 2.7 million credit cards—at an average cost of $8.11 per card—and 4.1 million debit cards—at an average cost of $9.72 per card. Furthermore:
• Only one third of banks reported receiving any reimbursement for fraud losses and reissue costs over the past five years.
• At the same time, 73% of consumers trust banks most to keep their payments safe.
This puts banks in a precarious and unhappy position. On the one hand, they seem to be doing the best job of keeping people’s information safe. But on the other they are the fall guys when it comes to reimbursing losses due to cybercrooks.
So, once again, it’s up to banks to step up their game. A prime way to do that is through new technologies—namely big data and analytics—to do what was stated at the beginning, that is, switch from a reactive stance to a proactive posture.
Bob Palmer, an IBM analyst, writes in his financial institutions blog: “The old model of responding to attacks and fraud well after the fact just won’t work in today’s world of sophisticated and organized financial crimes.”
Palmer adds that “an integrated approach is needed not only to respond to fraud and financial crime, but to proactively anticipate, detect, and mitigate threats.”
Such an integrated approach has four general phases:
• Detect—Apply advanced analytics to all key fraud data to predict whether an action is potentially fraudulent before losses occur.
• Respond—Apply fraud insights to take action in real time. Use analytics on streaming data to confidently differentiate legitimate actions, while preventing or interrupting suspicious actions.
• Investigate—Turn fraud intelligence into action. Perform and manage inquiries into suspicious activity that are supported by thorough data analysis and collaborative, sophisticated case management.
• Discover—Use new big data and analytics capabilities to identify suspicious activity by analyzing mountains of historical data to search for patterns of fraud and financial crimes.
It seems like someone has to do it, and it might as well be banks.
At least, that’s the general opinion of everybody else.
Sources used for this article include:
ABA Releases Infographic on Cybersecurity, Data Breaches
Finance Pros Fear Economic Impact of Large Scale Cyber-attacks
Annual global EY survey finds organizations are still unprepared for inevitable cyber attacks
Fighting fraud in banking with big data and analytics
RSA: Despite a Year of Breaches, Consumers’ Security Behaviors Unchanged
