Banks and the New Abnormal
Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.
With businesses starting to reopen after the COVID-19 shutdown here in Massachusetts, I am already tired of hearing about the "new normal." We're nowhere near hitting anything approaching "normal." We're certainly never going back to where we were on March 1, but no one knows where we'll be when a vaccine is discovered and we can go to the grocery store without taking a Silkwood shower when we get home. We're in the middle of chaos, and IT departments are just trying to juggle the day-to-day issues related to remote workforces and new security risks.
But that will change sooner than we think. Companies everywhere are declaring working from "anywhere" as the new standard for their employees, and so many cybersecurity teams are already planning for the uncertain future. And that future is going to be radically different than anything we've seen before. If you've been waiting for the next great leap forward (and were around for the invention of the transistor), you may be in the right place at the right time. The planet is facing an unparalleled challenge, and the fixes will not be incremental. Strap yourself in for a hell of a ride.
Most innovations in banking are slow and linear, but right now we're seeing myriad new consumer-driven changes affecting how people use their money and disrupting the industry. These include the expectation for contactless payments, card-not-present payments, and instant payments. In Australia and some European countries, these immediate payments are taking over for long-standing money-transfer systems like ACH, wires using SWIFT networks, and other credit card batch settlement methods. Things have gotten faster, and they're changing dramatically.
Here's why: Since the advent of electronic communication as the primary means of sharing information — roughly the past 35 years — there has never been a disruption like the COVID-19 pandemic. We've had mega-disasters like 9/11 and Category 5 hurricanes that have upturned payment methods and banking, but they've all been regional in scope and not enough to change broad behaviors. This is why regulators managed by the Federal Financial Institutions Examination Council have an ever-extending checklist of "must-dos" for banking security controls. With the challenges of the current pandemic, the current banking anti-fraud and security infrastructure is now being severely tested.
Along with the banking product changes, banks have thousands of employees working from home on nonsecure Internet connections, which has created unprecedented challenges. Ditto for billions of dollars being wired or mailed to taxpayers. We need to rethink what we're doing from the ground up. After all, we don't know if we will ever be back in our offices again, and if we do, whether people will come in every day. Is COVID-19 the beginning of a permanent work-from-home revolution? Will the idea of the central office even matter in two years or will everything be decentralized? Those are the questions we need to ask ourselves every day.
So what do we do? For starters, we need to reimagine the VPN. The basic concept is sound, but most private networks were designed for a "spoke" model rather than thousands of independent access points. And multifactor authentication (MFA) can no longer be an auxiliary or perimeter security measure. It needs to be baked into the front lines of defense.
And that's just for remote access. What about reconciliation and fraud detection? Is a daily balancing really good enough anymore, or do banks need to adopt real-time updates to prevent unauthorized access and transfers? Do we need a full, across-the-board, zero-trust approach?
The good news is that the infrastructure to supporrt all of this is very strong, and it exists right now. Most banks use mainframes, which are incredibly fast and reliable — not to mention difficult to improperly access. MFA tools are already in use, but they're not universally deployed. Zero trust exists, but many institutions are wary of the effects of end-user inconvenience.
Banks have been hesitant to adopt many of these practices — and for good reason. But now is the time to make the next bold step. Security has always been important, but now it's non-negotiable. Banks need to do whatever they can to keep their assets, and those of their customers, as safe as possible.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024