As cyber-attacks continue to plague financial institutions worldwide, it is important that organisations keep on top of cybersecurity technology and protocols. With this in mind, what do recent White House cybersecurity guidelines outline, and how should firms use them?
Meredith Bell is the CEO of AutoRABIT, the leading DevSecOps platform for Salesforce. Here, Bell shares some of the insight he has gained during a career spanning over 30 years and explains how US-based financial institutions can use White House cybersecurity guidelines in the future.
Financial institutions inherently work with their customers’ most sensitive information. This is why the industry is one of the most highly targeted by cybercriminals, according to Statista. When a data breach occurs, it costs these organisations an average of nearly $6million.
The White House recently released the National Cybersecurity Strategy to address the increased number of attacks on American businesses and critical infrastructure such as the ‘Colonial Pipeline’ hack of 2021.
These attacks are becoming increasingly sophisticated, requiring a comprehensive approach to keep companies safe. And since financial institutions are a historically large target for cybercrime, strict adherence to these guidelines is essential.
Many companies become complacent over time and settle into doing the bare minimum to remain compliant with data security regulations. But true data security requires a continually updated approach to avoid exposing sensitive customer information and risking costly downtime.
So what do financial institutions need to know about the recent White House cybersecurity guidelines? How they can use them to reevaluate their own data security strategy.
White House Cybersecurity Guidelines for Banks
“Poor software security greatly increases systemic risk across the digital ecosystem and leaves American citizens bearing the ultimate cost. We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognising that even the most advanced software security programs cannot prevent all vulnerabilities.”
– Strategic Objective 3.3 of the National Cybersecurity Strategy
The White House guidelines are not geared toward a specific industry, but the third pillar directly relates to financial institutions. It outlines expectations for any company that handles or retains sensitive personal data of its customers.
Maintaining the privacy and security of this information is paramount. The strategy doesn’t immediately impose new regulations or laws relating to this; the basic expectations are already dictated by existing regulations like the Gramm–Leach–Bliley Act (GLBA). The new guidelines reiterate the importance of protecting this information, bringing data security to the forefront of awareness.
Many financial institutions pursued digital transformation during the last few years. Even though the pandemic put these advancements on the fast track, the shift toward online services was already underway. The cybersecurity guidelines highlight the responsibilities of organisations that produce software products and services to maintain secure development practices.
Bad actors could exploit weak software, giving them access to a potentially massive number of customer records. As a financial institution, it is your responsibility to protect the information in your system – which also includes the software produced by your development team.
How Financial Institutions Can Meet These Guidelines
“We will not replace or diminish the role of the market, but channel market forces productively toward keeping our country resilient and secure… In too many cases, organisations that choose not to invest in cybersecurity negatively and unfairly impact those that do, often disproportionately impacting small businesses and our most vulnerable communities.”
– Pillar Three, National Cybersecurity Strategy
Most of the guidelines relate to best practices. Financial institutions have preexisting requirements for data security, but their specific approaches need to be continually updated. The very first step a financial institution should take is to audit existing security measures.
Talk with your team members to find out if there are aspects of your system that have outgrown your security approach. Firsthand accounts and recommendations from team members who work directly with various environments will give you an updated assessment of your current vulnerabilities and identify opportunities for improvement. Performing automated scans of these environments produces actionable insights and reports that accompany this feedback.
Taking a DevSecOps approach to software development is key. Financial institutions can no longer afford to treat data security as an afterthought with these new recommendations and the recent increase in cyberattacks. Automated tools like static code analysis and integration testing ensure that every update and application is stable and secure, preventing data security vulnerabilities before they have a chance to be exploited.
Evaluate your existing data backup and recovery strategy. There are numerous potential causes for an outage and the best way to prepare is to ensure you can quickly return to operations should one occur. Automated snapshots need to be taken several times a day. Recovery time objectives and recovery point objectives need to be established and configured.
Even if your data security strategy has been successful for years, it needs to be periodically examined. A comprehensive update to this approach will help financial institutions adhere to White House guidelines while providing the most possible coverage against increasing data security threats.
“We aim to operationalise an enduring and effective model of collaborative defence that equitably distributes risk and responsibility, and delivers a foundational level of security and resilience for our digital ecosystem.”
– Pillar One of the National Cybersecurity Strategy
Financial institutions are not alone in this fight. The White House guidelines recognise the role our present administration plays in assisting with the fight against cyber threats. And while financial institutions shouldn’t rely on the government to completely cut off cyber threats, it’s important to know that there is a network of support working behind the scenes.
Here are some of the main tactics laid out by the White House cybersecurity guidelines:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
Financial institutions face a larger cybersecurity challenge than other industries. However, the new White House guidelines reiterate what most organisations handling confidential data should already know – it’s their responsibility to protect the sensitive information clients entrust to them.
Paying strict attention to data security measures – along with using the best practices outlined by the government – will give your InfoSec teams the best chance at avoiding events of catastrophic data loss.