What Lies Beneath: FIs’ Biggest Cyberthreat

Well, let’s start with the bad news first, even at the risk of robbing some of the joy and optimism that comes with the new year. As bad as one might think the risks of cybercrime are (fraud, hacking, data breaches, customer and revenue loss, lawsuits and fines), the reality is probably worse.

That’s because those threats are relatively localized, and don’t take into account the risk of hackers (especially those backed by organized militaries and nation-states) taking down key infrastructures. After all, what good is a banking system without a functioning electrical grid?

However, as covered in a new PYMNTS discussion between Karen Webster and Rich Baich, chief information security officer for Wells Fargo, that realization is no cause for despair — as long as companies and other organizations adopt the right mindset about preparing for and fighting against such threats.

The PYMNTS discussion served as a look at the current landscape of general cybersecurity, as well as a glimpse into the next 12 months for digital security, highlighting the main trends and emerging forms of defense. While imagining the threat and costs of a cyberattack that targets regional or national infrastructures might seem overly pessimistic, given that the cheer of the holiday season still lingers, there is, according to Baich, reason for hope.

Big Mindsets

On the national level, at least, “we’ve been focused on [potential] attacks against critical infrastructure” since the late 1990s, he told Webster. That focus has recently resulted in more attention from the U.S. Department of Homeland Security (DHS), and other federal and state agencies, about cyberattacks against infrastructure.

Still, even with such “recognition of the systemic risks” posed by “critical infrastructure” (risks that apply to multiple industries and consumer segments), “we as a country still have to figure out how to address those risks and prioritized efforts” at defense, Baich said.

All big jobs require big mindsets, and, according to Baich, the tools for that big mindset — for big risk management — are already in place. For instance, “every day, a financial institution is granting credit, taking a risk” with every new loan, he said. The thinking and technology behind such a business activity can help with efforts to construct better cyber defenses.

Collaboration is also vital. That’s long been true when it comes to sharing best practices, and even some forms of technology, to prevent fraud and breaches — but it holds especially true for thinking about how to best prevent, or at least deal with, digital attacks against larger infrastructures.

“Government and private companies working together can come up with action plans to mitigate the risk,” Baich said.

After all, government is a vital player in these types of digital defenses. Who can expect companies — especially small- and medium-sized firms that rely on the infrastructure that powers the digital economy, and may be vendors critical to its operation — to fend against attacks from nation-states that have put billions of dollars into their cyberwar efforts?

“Can you really defend against something that large?” he asked.

Of course, it can be hard to get one’s mind around that threat, no matter how large. “Physical threats to our country, we can comprehend,” Baich said. It is relatively easy to spot a naval fleet heading toward the coast and figure out its intentions. For cyberattacks, even the large-scale ones, “you can be in Bora Bora in a T-shirt and launch it.”

Winning The Battle

Given that reality, it seems the hackers and digital criminals will always have the edge — or, put another way, constant command of the online high ground. “It is a battle that we can win?” asked Webster.

“Yes,” Baich said. “But rather than a battle, I’d call it a conflict, or an obstacle.”

Among the ways to win?

Automation, for one — which means machines taking over more defensive duties, such as artificial intelligence (AI), will become more sophisticated, freeing human talent for other associated tasks. Machines can certainly be compromised, of course, which will apply more pressure to secure the various “keys” that serve to authenticate one machine to another — and which can lead to more machine-backed, automatic authentication of consumers.

Mindset is important for this big, ongoing task, too, he said. Corporate culture must understand that information security is dependent upon the coming together of disparate teams and disciplines that are united toward the common goals of arriving at an acceptable level of risk and preventing cyberattacks.

Longer term, there is also a need for consumers to not only recognize such attacks (say, spotting the signs that an email is a phishing attempt from criminals or state-backed attackers), but to have a reliable way to report them. Baich used this example: If a driver sees a vehicle swerving from lane to lane on the road, that driver can simply call 911 and report a suspected drunk driver. However, there is no seamless and efficient mechanism for that yet in the online world.

Sure, in a cyberattack, a consumer might call their bank when they see a suspicious email, supposedly from that organization. More typically, though, that consumer will just delete the email and take no other action.

The new year will bring further advances from sophisticated hackers, whether operating on their own or backed by militaries and countries. What’s needed is more change to the mindsets and cultures of companies and organizations, thinking that grasps the true nature of the threats and the appropriate risk levels, then comes up with solutions to manage that.