The Risks of NOT Investing into CyberSecurity

In 2002, preparations were being made for me to transition from the Navy to civilian life. I wanted to start a career in the IT field, and, unfortunately, the Navy wasn’t capable of providing me that opportunity. At the time though, careers in the IT field were still uncommon and considered overhead to corporations. After realizing this, I had decided to stay in the Navy since I hadn’t acquired the necessary education or experience to be competitive in the IT market yet. Over 10 years ago, IT and Cybersecurity were not considered to be as worthwhile a career field to pursue. Today, the financial industry is learning just how valuable cybersecurity is, and according to an article, Friedenberg remarks that, “Companies, on average, spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim” (2006). In an effort to compromise the confidentiality, integrity, and availability of the financial institutions, cyber terrorists have taken an active role declaring war on one of our nation's critical key infrastructure. There are major risks in the financial industry that are causing the institutions to invest more into the protection of their assets which are in jeopardy of compromise every time a cyber attack occurs. Consumers want to know that their money is protected when they put in a financial institution. The personal information that consumers are required to present, for instance Name, Date of Birth, account number, in order so they can withdraw money needs to be safeguarded. According to Servidio and Taylor in their article about safeguarding community banks, “many small and medium-size banks lack the resources they need to fight cyber attacks” (2015). Countering terrorism and protecting human rights may provide contradictory results. Mass government surveillance and enhanced airport security resulted from the 9/11 terrorist attacks in an effort to prevent such an attack from taking place again. In a an attempt to implement countermeasures that would provide sense of security from terrorism in our nation while protecting our citizen’s rights actually resulted in the opposite in where, citizens felt violated by the new measures implemented. Like many others, I remember 9/11 and felt just as angry and upset over how we had allowed the terrorist attack to happen on our own soil. At that time, I was ready to sacrifice whatever was required to protect our nation from being attacked in that matter again. Unfortunately, the cost was the violation of privacy for many citizens of our nation. It can’t be argued whether it was effective or not, even though this nation has yet to experience another terrorist like 9/11. 9/11 is an example of how the nation reacted when their sense of safety was compromised and demands and inquiries were made by those responsible as to why and how we could prevent that attack in the future. The financial industry is a primary target of cyber terrorism and the cost is the consumer’s identity, their investment in the future and their children’s future. Cyber terrorists exist with many identities; one of them could be yours. Identity theft has many definitions, but I prefer Lynch’s definition which is defined as “the theft for fraudulent purposes of personal information, such as account numbers, social security numbers (SSNs), and other personal identifiers such as a mother's maiden name.” (2005). Through these increasing and sophisticated attacks, the financial industry is losing the trust of consumers through compromise of their personal information. Friedenberg says that, “if you experience a security breach [of customers’ personal information], 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!” (2006). The cost of a security breach is loss of business, lawsuits, and consumer’s sense of betrayed trust all from a single incident that could of been prevented. My wife and I were victims of identity theft when our bank was attacked, and our personal information was acquired by the attackers. The thought of what our personal information could be used for was a frightening and sobering realization that anyone was vulnerable and there was much that could be done to have prevented it. Brody, Mulig, and Kimaball recommend that “creating awareness is one of the most important tools in fighting identity theft” (2007). Financial institutions have become better about notifying the consumers of fraud alerts and email phishing which is providing consumers the awareness necessary to protect against these type of cyber attacks. Smaller community financial institutions are struggling to keep up with the larger institutions in protecting their consumer’s assets. In many cases, as a result of not being able to appropriately implement countermeasures, the smaller institutions could be targeted more often and easily. Servidio and Taylor make a valid point that “given the close relationships a community bank has with its customers, a major data privacy breach or cyber incident could damage the local community and impact the safety and soundness of the bank.” (2015). The local banks provide a sense of community in the local areas and the cyber attacks have the capability to jeopardize that close relationship. Additionally, for a cyber terrorist or hacker, the lowest hanging fruit and most accessible are the Automated Teller Machines (ATMs). ATM frauds, for instance deposit and check, are common in the US and tend to happen at local banks. Banks have a practice of crediting and allowing withdraws against the deposit prior to manual reconciliation and verification. The attacks on the smaller financial institutions could possibly lead to strategic assaults on other financial institutions, since there is the danger of communication when processing transfer of funds between two banks. The bank that was initially attacked was used as a patsy in order to gain access to the actual targeted bank; allowing the attacker to achieve it’s goal of more theft and possible destruction. A course of action that could be utilized in an effort to proper prepare and defend against cyber attacks would be the development and implementation of what Gardner calls in his terms, “Enterprise Risk Architecture” (2015). Gardner goes on to define this this Enterprise Risk Architecture as a “body of work” that “guides organizations through the capture and documentation of their IT, processes, information flows, and dependencies and is used with sophisticated IT vulnerability analyses.” (2015). A report that is produced on the potential risks of the IT systems and scenarios of how the attackers could exploit and captures the data in their bank. The report can be the visual aid to assist the community bank in identifying and implementing the appropriate safeguards to protect their consumer’s assets and personal information. It will require a team effort to prevent and defend the financial industry from cyber attacks. Gardner suggests that there are many affordable actions that address the cyber threat. Activities such as employee training, diligent password management, timely patch management (routinely installing and testing software updates and fixes), and cyber incident drills could eliminate 70% or more of cyber risk and its consequences. (2015). Currently, the Federal Financial Institutions Examination Council (FFEIC) has developed a cybersecurity tool that has the capability to assess the risk factor of financial institutions and "to help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing these institutions,” (NEW TOOL ASSESSES BANKS' CYBERSECURITY READINESS, 2015). However, the responsibility of preventing the cyber attacks doesn't necessarily fall on the institution, but it falls on all including the consumers. The financial data compromise due to the cyber attack is unfortunate loss and none feel it more than the consumers who trusted their data to the institution. Brody, Mulig, and Kimball state a valid point when they express the necessity of, “Financial institutions and consumers need to work together to prevent future occurrences” (2007). The sophistication of the attacks to steal personal information make it difficult for a machine or piece of software to detect every incident, but it also requires that consumer educate themselves in order to discern what is a scam and what is genuine. Prevention of cyber attacks against the financial industry has to be an objective of both the institution and the consumers. There are capabilities that exist in the identification and to mitigation of countermeasures to risks that are present in the financial industry. The investment in cybersecurity will certainly bring risk, but the lack of investment will only continue to harm the financial industry and consumers. Trope makes the comment about the integration of technology and the unexpected risks with the following statement, “adoption of digital technologies has come with what has proven to be a gross underestimation of the risk of cyberattacks, the undiminished vulnerability to such attacks, and the growing extent of damage they can inflict”. My interpretation of what Trope is stating is that introduction of technology may provide a convenience to the consumer, such as accessing your bank account from the internet, will unfortunately introduce avenues for the cyber terrorist or “hacker”to potentially attack and steal the consumer’s personal information or assets. The ultimate goal lies in developing a cybersecurity framework that supports business processes. Such a framework will require a new security mindset and changes to processes such as risk management and risk mitigation. This will produce a stronger cybersecurity framework and more efficient regulations that promote a trust between financial institutions and their clients. (Mohammed, 2015). As newer technologies and conveniences are introduced, such as apple pay and google pay, which take advantage of wireless technologies, hackers will see this as an opportunity to attack. As consumers, we still need to educate ourselves as to what the new technologies are and how they could be used as an opportunity to steal our personal data. There is no set and forget countermeasure or framework either. A constant refresh and review quarterly to annually of policies, frameworks and implemented countermeasures will still need to be conducted.

References

Brody, R. G., Mulig, E., & Kimball, V. (2007). PHISHING, PHARMING AND IDENTITY THEFT. Academy Of Accounting & Financial Studies Journal, 11(3), 43-56. Retrieved from http://ezprox y.umuc.edu/login?url=http://search.ebscohost.com/login.aspx? direct=true&db=bth&AN=89147589&site=eds-live&scope=site

Gardner, R. K. (2015). CYBER RISK THROUGH THE COMMUNITY BANK LENS: ADDRESSING ISSUES NOW BEFORE IT'S TOO LATE. The RMA Journal, 98(3), 66-69,13. Retrieved from http://ezprox y.umuc.edu/login?url=http://search.proquest.com.ezproxy.umuc.edu/docview/ 1756060642?accountid=14580

Lynch, J. (2005). IDENTITY THEFT IN CYBERSPACE: CRIME CONTROL METHODS AND THEIR EFFECTIVENESS IN COMBATING PHISHING ATTACKS. Berkeley Technology Law Journal, 20(1), 259-300. Re trieved from http://ezproxy.umuc.edu/login? url=direct=true&db=iih&AN=16940518&site=eds-live&scope=site

Mohammed, D. (2015). Cybersecurity Compliance in the Financial Sector. Journal Of Internet Banking & Commerce, 20(1), 1-11. Retrieved from http://ezproxy.umuc.edu/login? url=http://search.ebscohost.com/login.aspx? direct=true&db=iih&AN=110209808&site=eds-live&scope=site

NEW TOOL ASSESSES BANKS' CYBERSECURITY READINESS. (2015). The RMA Journal, 98(3), 60-65. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com.ezprox y.umuc.edu/docview/1756060824?accountid=14580

SERVIDIO, J. S., & TAYLOR, R. D. (2015). Safe and Sound: Cybersecurity for Community Banks. Journal Of Taxation & Regulation Of Financial Institutions, 28(4), 5-14. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx? direct=true&db=bth&AN=102071237&site=eds-live&scope=site

Trope, R. L., & Hantover, L. L. (2014). In the Wake of Cyber Damage: Significant Decisions in Cybersecurity 2013-2014. Business Lawyer, 70(1), 223-230. Retrieved from http:// ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx? direct=true&db=bth&AN=100670067&site=eds-live&scope=site