Never have customer demands so directly influenced every aspect of the banking ecosystem; they're forcing banks to undergo massive digital transformation processes to meet new needs and pushing for new platforms and services to go live faster than ever before. Therein lies the problem.
Digital transformation and rapid product and platform development are happening at the same time that hacker culture has taken off, escalating the security risks. According to a Verizon study of data breaches, hackers are breaking in faster and it's taking longer for banks to find them. In 2015, 84% of hacks were completed in days or less but only 25% of breaches were caught within days.
Soon, hacks will happen in hours — if not minutes — and the channels through which hacks can take place will grow as consumer use grows. Today it's mobile apps and online channels; tomorrow it will be biometric devices and virtual reality.
But processes can be put in place to prevent breaches and protect customer data — no matter what channels it comes in on or how it's stored, today and in the future.
The first and perhaps most important step is education — for everyone, not just the compliance team. Some of the most high-profile hacks in recent years may have started with something as benign as an easy password (passw0rd! is not going to do it) or failure to enforce two-step authentication.
For information to be truly secure, everyone from the bank tellers to the customer must be aware of how easily it can be compromised and how to keep it secure. If employees sign on to a device in the workplace on a connected network, they need to be taught to take proper security measures — preventative security only works when everyone is on board.
From there, educate customers. For instance, are customers aware that signing on to their bank account from unsecured Wi-Fi could mean trouble? Or that emails or texts from a bank should never ask for personal information? Do they ignore notices about an account being signed onto from an unusual location? Give customers a clear, easy way to flag a problem — it may stop a small issue before it becomes a bigger one.
The enemy of good security protocol is "doing things how we've always done it." Banks must regularly re-evaluate not only security processes — such as cyber-risk controls — but the culture that supports those processes. Cybersecurity governance must be enforced steadily and proactively, and it all starts with the right processes.
Legacy systems are a great example of doing things as they've always been done — they're big, complex and expensive to overhaul. But banks running on outdated legacy systems may not realize how vulnerable they are to threats. Think of it like a locked door on a house. When the lock was first installed, it prevented very specific types of lock picks. As time passes, the lock picks get better. While the old lock may still serve its primary job, it isn't helping against the flashy new tools lock picks use. Today, banks need a new lock. The rise of the digital age and the size and frequency of customer data breaches necessitate massive security upgrades.
Customers have to change too. They expect banks to have their back — if a card gets lost, they call the bank and a new one magically appears in a few days. But with the increased risks today, customers need to understand the role they play in controlling access to information. Banks should prioritize proactive customer communication — what customers don't know can hurt them.
Education has been driven mostly by major credit card companies so far — for example, Amex commercials about fraud detection. These are great awareness generators for a particular part of the banking experience, but there's much more to be done.
Banks should engage in social media campaigns; create pop-up reminders for those using online banking; and have branch employees chat with customers. Ad campaigns that go beyond fraud detection also could help, perhaps showing the impact of lax security habits for checking accounts, for example.
Now is one of the most pivotal times in banking security in modern history. Never before have banks been at such a crossroads between extreme risk and unlimited potential. With the value and relevance of data surging, banks must be hypervigilant to keep their most valuable asset — customer data — secure.