Bank vaults full of cash and valuables are no longer the most valuable asset banks own. Instead, digital assets – account numbers, logins, and more – matter much more. That’s why bankers are much more worried about cyber attacks than guns today. How bad is the situation? Look at a few recent incidents.
Bank Cybersecurity in the News: The Losses Are Enormous
Despite the constant warnings in the news about cybersecurity, banks continue to struggle. In 2018, a Virginia bank suffered losses of $2.4 million after hackers stole from the company. In that case, the hack took place via phishing emails. Direct theft isn’t the only type of loss either. When hackers successfully attacked two multi-billion dollar Canadian banks in 2018, the attackers demanded a payment of $1 million. With cloud computing, you face even more significant threats because it’s more difficult to know if the cloud provider is investing in cybersecurity.
Your Path to Improve Cloud Cybersecurity
In the past, cybersecurity professionals at banks had an unfortunate reputation. They were the “department of no.” They would say no to Salesforce.com. They would say no to cloud storage. Frankly, this highly conservative mindset is no longer acceptable. Bankers are demanding access to cloud computing tools. As an IT security manager at a bank, it’s up to you to strike a balance between enabling the business to grow with the cloud and ensuring security requirements are met.
Use the following tips before you expand your cloud computing usage any further. You might be surprised at how many of these problems your organization is already suffering.
- Poorly Designed Contracts with Cloud Computing Vendors
Did you read your user agreement or cloud computing contract before you signed it? The answer is probably no. To avoid this mistake, you need to do some homework. First, identify your most important cloud computing providers, meaning the services you couldn’t operate without. Alternatively, focus on the top 3-5 cloud services by annual cost.
Once you have your short list of critical cloud computing providers, review the contracts for the following provisions:
- Liability: Who holds what liability coverage for a cybersecurity incident?
- Insurance coverage: If the cloud computing provider has insurance for security incidents, find out the nature of that coverage.
- Audit reports and rights: What types of audit reports and rights do you have? At the very least, you should receive an annual third-party assessment of the cloud provider’s cybersecurity.
- Key Performance Indicators (KPI): Does the provider’s KPIs and other metrics include meaningful coverage of cybersecurity issues?
- Making Minimal Use of Reporting
The better cloud computing providers on the market provide extensive reports to their customers every month. There’s just one problem: that information has no value unless you have a process to systematically filter and evaluate it.
To avoid this mistake, use the following steps:
- Assign responsibility for reporting and monitoring: Assign one manager to be responsible for receiving and managing reports. Ideally, choose a person who has expertise in vendor management and cybersecurity.
- Evaluate existing reporting: Of all the reports and metrics you receive regularly, which add value? From experience, a few monthly reports are sufficient in most cases.
- Establish a regular monitoring process: For your largest cloud computing providers, arrange a quarterly monitoring conference call. During these discussions, you’ll ask about reports received and ask other questions about cybersecurity.
- Neglecting to Involve Corporate Support Areas in Cloud Computing Management
As a cybersecurity professional, you’re an expert in managing certain categories of risk, such as hacking and phishing. However, you also need the support of your colleagues in procurement, human resources, and legal. For the greatest benefit, make sure you involve legal and procurement during contract negotiations and renewals with cloud service providers.
- Failing to Control Privileged Cloud Users
Not all cloud computing users are created equal. IT administrators and managers typically have a greater level of authority. They’re privileged users with the ability to make changes to many different accounts. We can’t address the specific details on how to make this change today. However, we can introduce a guiding principle (i.e. actively manage your privileged users) that you can use to make smart decisions about your privileged users.
- Neglecting to Revise Your Cybersecurity Program Annually
No cybersecurity program will stay current on its own; you need to make time and resources available to update your program annually. Regarding cybersecurity for cloud computing at a bank, review the following:
- New cloud computing services: Make a list of new cloud computing services added to your bank in the past year. Assess whether you need to make updates to your program based on these changes.
- New incidents reported in the past year. What significant cybersecurity incidents have occurred in the past year? For example, if phishing has become a more significant concern, you might focus additional attention on cloud tools that touch email.
- Ignoring Bank Regulatory Requirements
Like it or not, banking is a highly regulated industry. It’s your responsibility to become familiar with the requirements and laws that impact your jurisdiction. If you’re based in the U.S., keep in mind that other countries have different expectations for cybersecurity.
If you’re starting from scratch, read “Supervisory Considerations in Cloud Computing in the Financial Services Industry,” published by the Federal Reserve Bank of Atlanta.
- Tolerating a Reactive Mindset Toward Bank Auditors
Internal auditors play an essential role in detecting problems, risk exposures, and failures to follow bank security best practices. Unfortunately, some bankers have a negative attitude about audit findings; they only take action when there’s a major finding. There’s a better way: proactively engage your auditors. Ask about their observations about cloud computing security from audits of other departments. Learning these insights will help you to improve your organization.
Leverage Tools to Reduce Your Cloud Computing Risk
Use Compliance Auditor to improve your monitoring and control over cloud computing security. It has built-in access certification reports so you can easily track who has access to what resource. Take the time and effort to invest in improved security today. If you wait for the next hacking attack to hit you first, it will be much more difficult to improve.