How Financial Institutions Can Leverage Modern Bank Heists
Whenever family or friends or otherwise ask what I do or what kind of company I work for, I always take the opportunity to start off with a question: Do you know what "information security" is? I do not expect much, as I myself could not quite give a clear definition before working in the position I hold now. No one likes to admit they don't know something, so usually I get a pause, a sigh, a shoulder-shrug, and finally something along the lines of, "I kind of have a basic idea, but I can't really explain it."
If anyone gives an answer, it usually defines something technical - such as making sure your computer networks are secure so hackers can't get in, or staying up to date with the latest patches for your anti-virus software. Afterwards I will explain that, yes, those things are indeed part of what makes up information security, but that there is so much more to it. I start to explain information security can be relevant to your computer systems - but it also has to do with someone calling over the phone or coming into a branch and pretending to be someone they're not. Or making sure you don't throw away sensitive personal data in the trash where anyone can have easy access to it. Information security even means making sure if you are having a conversation, you are speaking quietly when discussing personal sensitive information. Ultimately, it means keeping not only your money but also your personal finance data safe. For financial institutions, information security and risk management are in some respects a cost of doing business.
The point I try to make, and the point I'm trying to convey now, is that information security today means addressing a multitude of areas - any time or place personal sensitive data is disclosed or transferred.
To digress a bit, I would like to think about past times (I picture a scene from the "Old West") when a bank was nothing more than a big safe. People went to a bank not to invest, not to get a mortgage, not to plan for retirement - but to make sure their money was literally locked away. Information security in those days meant having a safe that no one could break into.
Fast-forward to today, and I am stunned by the number of physical robberies taking place on a daily basis. Just monitor Google News for certain keywords and you'll see there is no shortage of robberies, break-ins, bomb threats, hold-ups and heists throughout the country. And I'm not talking about hundreds, I'm talking about tens. And when I say I'm stunned I mean I'm stunned that these events are happening at all. I mean come on, walking into a bank and demanding money?! There have to be better (and I would think safer) ways of stealing money nowadays than holding a bank teller at gun point.
And I do not think I'm in the vast minority. I believe that most people think that physical bank robberies are rare. In fact, when a bank in my immediate area has an incident, the news travels like wildfire - my parents call me to tell me about it, it comes up in casual conversation with friends - and we all wonder what it would be like if we were actually there when it happened. The point is the everyday person using a bank and walking into a branch thinks physical robberies are not a serious threat to their personal finances.
If physical robberies are rare, and because things like insurance cover banks even if a physical robbery were to take place - what else does a banking customer have to worry about in terms of losing, physically, their cash? In the rare case that someone comes into your bank and demands your cash inside your designated area in the vault - your cash is still covered!
What consumers en masse have not realized yet is that there are so many risks individuals and financial institutions take when engaging in modern banking.
A modern-day bank heist does not mean five guys with ski masks walk into a branch and hold everyone hostage until the safe is emptied. It means a somewhat sophisticated attack involving phishing emails, malware and possibly an insider working at the bank. A modern-day bank heist might not necessarily mean the instant gratification of loading gold blocks into a knapsack. However it could mean continuously intercepting private data undetected for months over an unsecured computer network and then selling that data to others who might try to perform an actual transaction.
Modern bank heists are happening every day - some are detected, many others successfully lay low. And the information and data stolen during these incidents could prove much more valuable than what is obtained in a get-rich-quick physical robbery. Consumers are becoming more and more aware of modern banking risks (aren't the banking agencies making sure of this as they demand certain levels of customer education?), and the concerns are not regarding someone physically breaking into the bank's safe and stealing their hard-earned cash - but rather their entire financial identity.
So, how can financial institutions leverage modern bank heists? By making consumers aware of them. By disclosing the measures being taken to secure their financial data, and taking some responsibility when an incident occurs.
The first step I think is to make customers aware of the risks associated with modern banking. if someone tells me something I don't know, or warns me about a definitive risk - I tend to listen. And when intelligent advice is offered on how to prevent these risks, I see that person as an authority, and gain respect for that person.
Information security awareness is a golden opportunity for financial institutions to come across as authoritative figures, strengthening the reason someone should bank with them. They need to educate consumers about how they are keeping financial data safe, and how individuals should be taking some responsibility for situations outside of a financial institution's involvement. Information security is something most people with a bank account should be able to define when asked.
I don't think my bank has adequately warned me about the risks involved in doing business with them and using their online banking systems. Outside of "once-in-a-blue-moon" alerts when I log in to my online banking account that I have turned off notification for, I cannot think of any other instances where they are educating me about the importance of information security.
What do you think your customers would say if you asked them to describe your institution's information security practices?