The Magnificent Seven (M-7 2012!)

By Dan Hadaway | Wednesday, December 19, 2012 - Leave a Comment

Seven 2012 Trends in Bank Technology that will Affect 2013

2012’s Magnificent Seven

It’s that time again! Time to define the seven most important trends we’ve watched over the past year. This means that, in most cases, these trends are still trending, and should drive our 2013 tactics.

Top 2012 Bank
Technology Issues

This year’s top seven trends are (drum roll please):

Continued Breaches Due to Unawareness
Compliance with the Supplement
Corporate Account Takeovers
Orchestrated Attacks Against American Banks (still ongoing)
Mobile Banking (and look for virtual wallet and NFC in 2013)
Increased likelihood of Pretext Calling
Smishing Scams on the Rise

Number One: Continued Awareness Breaches

Our number one 2012 trend is the fact that even now, after all our efforts, banks are still losing data thanks to a lack of awareness on the part of our own employees. It’s the same old number (67%) we’ve always seen, but
digging into the data might enlighten us a bit.

According to our analysis of the publicly known breaches of financial institutions listed at privacyrights.org, 70 data breaches at United States Banks were made public in
2012. Seventeen of those breaches were caused by a malicious insider, meaning that someone with legitimate access intentionally breaches information – such as an employee or contractor. We think banks need to be
realistic that 24% of breaches came from malicious users.

Sixteen of those breaches were “Unintended Disclosures,” meaning that sensitive information was posted publicly on a website, mishandled, or sent to the wrong party via e-mail, fax, or mail. This is what we usually think of when we hear about insider breaches.

Eight of the breaches were due to lost, discarded, or stolen portable devices (laptops, PDAs, Smartphones, etc.). Again, these were at US Banks. More than 10% of the breaches were due to bankers losing their portable device.

Five of the breaches were “paper loss,” where an employee discarded sensitive information in a manner that does not comply with our Destruction of NPI policies. They didn’t use the shred box, and they embarrassed the bank. That leaves 26% of the breaches due to external threats — the threats we most worry about, the hackers and
the corporate account takeovers. Maybe our strategy this year should focus on awareness training, not at the expense of protecting ourselves against the external threats, but in addition to that protection.

Number Two: Compliance with the Supplement

Most of our Clients continue to implement actions to bring themselves into compliance with the FFIEC’s June 2011 Supplement to the 2005 Guidance on Authentication in the Internet Banking Environment. The theme of the supplement is “layers of security.” The layers called for are robust authentication, anomaly detection and response, and customer education.

While they have been forced (yet again) to rely upon (and wait for) their vendors for answers to the authentication layer component of the supplement, most of our Clients are still investigating effective methods for implementing Detect and Response, and are at least talking to their marketing people about the marriage of security and marketing, in the form of Customer Education. We think most community-based banks will be listing Customer Education as a high priority in 2013.

Number Three: Corporate Account Takeovers

The reason Supplement Compliance will be a high priority in 2013 is because of the fact that corporate account takeovers are part of a trend that has bank’s realizing real monetary losses. We have at least three clients who are dealing with this very issue right now. The good news? The supplement was right.

Number Four: Orchestrated Attacks Against American Banks (still ongoing)

The fourth trend we are witnessing in real time is the Distributed Denial of Service attacks on American banks. We’ve all read the press on this. It can happen to us too. We predict that this trend will continue, and we should dust off our incident response plans in case our providers are attacked. I agree with the skeptics that these organized criminals are probably not going to target a small bank in the middle of Indiana. Instead, they will target your provider. So dust off your incident response plans. How are you going to communicate to your on-line banking customers that your system will be “off-line” until further notice?

Number Five: Mobile Banking

The use of SmartPhones only quickened in 2012 and we all agree this will continue long past 2013. All the risks we predicted in 2009 related to mobile banking are alive and well. The difference in the near future will be a result of near field communication (NFC). Look for virtual wallets to not only cause irritating breaches and fraud, but also a loss of market share. Maybe 2013 is too early for your sized community. MAYBE NOT.

Number Six: Increased likelihood of Pretext Calling

2012 was the year that our phone rang off the hook with bankers looking for someone to implement some pretext calling tests. Most of our Clients are experiencing pretext calling on a regular basis. Unfortunately privacyrights.org does not list pretext calling as a source of a breach. Furthermore, most pretext calling breaches go unnoticed, and are one record at a time. But we see them being used not just by the nosy neighbor, but also as part of malicious attacks on banks and bank customers.

Number Seven: Smishing Scams on the Rise

Smishing is the text-message version of phishing, where the bad guys send a text (SMS) to your customers, asking them to either click on a link or, in the cases we’ve seen, call an 809 area code where they can unlock their locked account. While we’ve only seen one smishing scam in 2012, we were struck by how easy it was to pull off, and how difficult it would be to trace evidence back to a perpetrator. With SMS banking becoming more popular, and all we’ve already stated about awareness, customer education, and portable device risk, we see this trend in 2012 being a big driver of issues in 2013.

Note: Privacyrights.org (www.privacyrights.org) is an excellent source of information about information breaches that were made public. The search capabilities on this site make it a great tool for information security officers to help their employees understand WHY controls exist.

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

If you would like to receive notifications when we post articles, click here.

Posted in Dan's New Leaf, Risk Management, Schools

Latest News

Another New Leaf

1 April 2023

from Dan’s New Role . . . And note the date! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Once again, I am turning over a new leaf. Those who have not been following this blog for its full fourteen-year history might not realize […]

R7-2023

21 March 2023

Top Seven Risks . . . that small bank Information Security Officers face in 2023! When we present audit reports to boards of directors, we also talk to the board about the top risks the institution is facing. Since 2006, we have been compiling a list of the “top seven risks small institutions are facing,” in […]

“Layers” Awareness Poster

15 March 2023

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]

Biden Administration Unveils New Cybersecurity Strategy

13 March 2023

The new plan calls for technology providers, and not end users, to be responsible for security… An article review. Following multiple high profile cybersecurity incidents in 2021 and 2022 the Biden Administration recently announced new long-term goals for the nation’s cybersecurity, and under the new plan companies that provide technology would carry more of the […]

R7: 2023’s Top Seven Technology Risks Webinar Registration

7 March 2023

R7: 2023’s Top Seven Technology Risks Webinar-Video What are the top seven risks your board should know about in 2023? Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations. This webinar will present the 2023 list in a manner that you […]

Adam Reads: The “Project Management” Guidance Summary

6 March 2023

A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]

History (and Future) of the infotex Website

2 March 2023

Times they are a-changin’ . . . The infotex website is being updated. You read that right! We are in the process of updating our website from the circa 2013 version we have had for far too long. As the Digital Media Manager for infotex this excites me greatly and I look forward to the […]

ChatGPT & AI: The Good, The Bad, and The Evil

27 February 2023

A new Team member’s first article! In today’s news cycle, it is difficult to miss all the fuss about AI, or more specifically, ChatGPT. So many differing opinions on the matter can make it hard to decipher what the future looks like. Few people think AI is a gimmick, but not many know the possibilities […]

NIST Prepares Updates To Cybersecurity Framework

20 February 2023

A draft version of the new framework may be available as early as this summer… An article review. As the cybersecurity landscape is constantly evolving, the tools we use to address risk need to evolve as well–and by this summer we should be getting our first look at planned changes to the NIST cybersecurity framework. […]

“Pop-Up Awareness” Awareness Poster

15 February 2023

To the Blog