Executive panel: key banking cybersecurity developments for 2023
As the world becomes increasingly digital, the need for robust cybersecurity measures in the banking industry has never been greater. With new technologies and online threats emerging constantly, it is important for banks to stay ahead of the curve to protect their customers’ sensitive information and financial assets.
To better understand what’s top of mind within the industry in 2023, I spoke with ten executives from some of the industry’s leading organisations, and below ere are some of the key developments they see shaping the industry this year.
Panel members:
- Georgeo Pulikkathara, interim head of security operations, Bank of the West
- Dante Jackson, head of insider threat, Truist
- Dan Menicucci, chief security advisor, Microsoft
- Cameron Yardy, director of cybersecurity, First West Credit Union
- Izzat Alsmadi, computing and cybersecurity department chair, associate professor, Texas A&M University – San Antonio
- Carl Eyler, chief information security officer, Moonstone Bank, and adjunct assistant professor, University of Maryland University College
- Praveen Kesani, head of transformation and digitisation, commercial and corporate banking, Wells Fargo
- Belinda Tucker, senior vice president, bank operations, MainStreet Bank
- Jim Van Dyke, SVP, innovation, TransUnion
- Rujuta Karkhanis, director, cyber endpoint engineering, RBC
1. Artificial intelligence (AI) and machine learning (ML)
As cybercrime continues to become more sophisticated, banks are adopting technologies that can keep up with the threats. AI and ML are among those technologies that are playing an important role in helping banks protect their systems and data against malicious attacks. One of the primary ways AI and ML are currently being used in banking cybersecurity is for threat detection and to amplify staff.
When I spoke with Bank of the West’s Georgio Pulikkathara we discussed how the analysis of behavioural patterns is a critical aspect of threat detection and the role that AI and ML are playing in this area. “AI and ML can be critical in helping identify patterns that can then be executed on. They help more rapidly perform the analysis and then more quickly identify the potential security incidents that need to be investigated.”
Microsoft’s Dan Menicucci added that beyond the benefits of speed and effectiveness, AI and ML are also making significant contributions to the efficiency, retention and engagement of staff, particularly given that cybersecurity specialists are scarce and in high demand. “Everyone is trying to figure out how to be more efficient as a security operations centre and AI and ML are enabling technologies for that. The key issue, when it comes to talent that is defending the organisation, is that you don’t want to burn them out and you want to make sure that you’re sending them high quality alerts and giving them as much context as possible.”
Furthermore, although external sources of cybersecurity threats (e.g. malware, phishing, DDoS attacks, or ransomware) are often what first come to mind, it’s important to remember that threats can also originate from within. Insider threats are becoming more common, as employees with access to sensitive information can turn to criminal activity.
Truist’s Dante Jackson discussed how user behaviour analytics (UBA) leveraging AI and ML is used to spot anomalies in activities taking place within a bank. He mentioned that these threats can take many forms, from stolen customer credentials to social engineering attacks. When scanning for possible patterns that might alert to cybercrime, he mentioned that there are a wide variety of red flags to look out for. “Are people doing things that are outside the norm of their typical work? Is anyone accessing files and folders that they typically don’t? Are they looking up documents that have sensitive information at a greater frequency than usual?” Establishing baseline patterns in standard activities and identifying outliers like these can go a long way in preventing cybercrime.
Lastly, there’s a key point that Cameron Yardy from First West Credit Union raised and that was echoed by most of the executives I spoke with. Though AI and ML are starting to have a significant impact, they are still in their very early stages and not yet fully reflective of what most would consider true AI and ML, where machines are independently thinking and acting on their own. But as AI and ML continue to evolve, some of the developments currently underway and expected to further take shape in 2023 include:
- predictive models to detect fraud and phishing scams before they can do any harm;
- natural language processing (NLP) to analyse large amounts of unstructured data;
- AI-based systems for freeing up resources and to more fully automating mundane security tasks such as patching, patch management, and vulnerability scans;
- ML to help banks comply with regulations;
- reinforcement learning, generative models and other advanced techniques used in areas like fraud detection, anti-money laundering (AML), and customer behaviour analysis.
2. Increased adoption of zero trust architecture (ZTA)
Though the principles behind ZTA have been used for many years, its growing application within cybersecurity is relatively recent. As its name implies, ZTA is a cybersecurity model that assumes that all users, devices, and networks, whether inside or outside an organisation, can’t be fully trusted and need to be verified before being allowed to access resources. As Yardy put it, “it essentially takes away the decentralised, walled garden view and brings security down to the individual machine level, protecting each machine rather than protecting the overall wall that’s securing all the machines”.
ZTA is based on the idea that traditional security approaches, which rely on a perimeter-based defense, are no longer effective in today’s environment, where there are a large number of network-connected devices and the perimeter is constantly changing.
Under a zero trust model, access to resources is granted on a need-to-know and verify-explicitly basis, rather than based on the trustworthiness of the user or device. This means that all access requests are authenticated and authorized before being granted, and all communications are encrypted. In addition, ZTA often includes continuous monitoring and verification of users and devices to ensure that they are still authorised to access the resources they are requesting.
One of the primary benefits of ZTA is that it enables organisations to better detect suspicious activity within their networks. The system produces detailed logs about user behaviour, which can be used to identify anomalies quickly, allowing for faster responses when threats arise. AI and ML technologies can also be employed in conjunction with ZTA to strengthen its effectiveness by analysing patterns in log data and improving detection accuracy over time.
Another advantage of ZTA is that it helps protect against lateral movement from malicious actors within an organisation’s internal network. By requiring authentication at each step along the way, attackers are unable to move freely around the system without being detected and blocked by security protocols in place. Additionally, ZTA makes it easier for organisations to manage their access rights since everything must go through explicit approval processes, eliminating unnecessary permissions that could be exploited by malicious actors.
Cameron and other members of the panel have seen ZTA in action and see it as a move toward a more secure, proactive and automated way of security management. With a greater number of banks embracing zero trust principles, it’s becoming the norm in the industry. In the near term, the panel foresees it continuing to grow in prominence and anticipate two trends shaping its development in the nearer term:
- Zero trust network access (ZTNA) – ZTNA allows organisations to secure access to their applications and data from any location, by creating a secure tunnel between the user’s device and the application. With the shift to cloud and remote work, the need for ZTNA solutions has become more pressing and will soon become more widespread.
- Security analytics and intelligence – as the number of connected devices and applications increases, it will become increasingly difficult to keep track of all the data and identify threats. Security analytics and intelligence solutions will help with the implementation of ZTA and allow organisations to detect and respond to threats more quickly and effectively.
3. Adversarial ML
Just as banks are taking a more sophisticated approach to cyber security, unfortunately, so too are criminals. I spoke with Texas A&M University’s Izzat Alsmadi about one development in particular that he believes will play a significant role in the fight against advanced attacks over the coming years.
“Adversarial ML is getting a lot of attention and is becoming one of the big areas of focus within cybersecurity. It integrates ML and deep learning techniques, and has important applications in cybersecurity. A lot of the current work in this area involves the use of neural networks and advanced modelling.”
Izzat went on to describe how adversarial ML is essentially a method of training ML models to be more secure and resistant to malicious inputs or actions, which are intentionally modified to be similar but not identical to the training data.
Common types of adversarial ML attacks include model poisoning, model evading, model masking, and data poisoning. Model poisoning involves changing the training dataset in order to fool the model into producing inaccurate results or conclusions. Model evading involves using subtle changes in input data that will not be detected by the AI system but will still cause it to produce incorrect results. Model masking is hiding malicious code inside legitimate codeto evade detection while still accessing sensitive data, while data poisoning is manipulating input data so that it produces incorrect results when processed by a machine learning algorithm.
In banking, adversarial ML will increasingly be used to thwart attempts to fool fraud detection models, manipulate predictions of creditworthiness in credit scoring, and evade detection by AML models. Banks will increasingly leverage adversarial ML to help with cyber security in several ways:
- Detecting malicious activities: Banks can use ML models that have been trained using adversarial ML techniques to detect fraudulent transactions and suspicious activities, such as identifying phishing emails, malware, and network intrusions.
- Identifying adversarial examples: Banks can use adversarial ML to train models for various tasks, such as credit scoring, investment management, and AML, to be more robust to attacks, such as adversarial examples that can manipulate the predictions of the models.
- Enhancing intrusion detection systems: Banks can use adversarial ML to improve the robustness of intrusion detection systems (IDS) by training them to detect adversarial examples, which can evade traditional intrusion detection methods.
- Improving anomaly detection: Banks can use adversarial ML to train models for anomaly detection, to identify unusual behaviour, such as unusual transactions or network traffic.
- Increasing robustness in AI-based systems: Banks can use adversarial ML to improve the robustness of the AI-based systems they use, such as chatbots, voice assistants, and decision-making systems, to ensure that they function properly and securely.
4. Increased cloud adoption
When asked about top developments, Moonstone Bank’s Carl Eyler had the following to say: “In terms of trends, everybody is moving away from core mainframe systems and moving into the cloud. Everything is going to be on in the cloud and distributed. And that helps with resiliency and ensuring you have backups, which is one of the biggest concerns.”
And in addition to resiliency and back-ups, cloud computing is helping banks with cybersecurity in a number of other ways:
- Improved security controls – cloud providers typically have more resources and expertise to invest in security than individual banks, which can result in more advanced security controls.
- Scalability – cloud computing allows banks to scale their security infrastructure up or down as needed, which can be useful for dealing with sudden increases in traffic or threats.
- Compliance – many cloud providers are compliant with various regulations and industry standards, such as SOC 2, PCI DSS, and HIPAA, which can make it easier for banks to meet their own compliance requirements.
- Flexibility – banks can use cloud computing to deploy security solutions, such as firewalls, intrusion detection and prevention systems, and vulnerability management tools, that can be easily configured and managed remotely, which can improve their overall security posture.
Wells Fargo’s Praveen Kesani further highlighted the importance of incorporating a multi-cloud approach. By utilising a variety of different cloud services, organisations can spread out their data across multiple platforms and create additional layers of security to further reduce risk and improve data protection. This makes it much more difficult for attackers to access sensitive information or cause disruptions, as they have to breach multiple systems at once in order to gain access. It also diversifies their cloud usage to minimise the risk of a single point of failure.
Another benefit is that multi-cloud strategies help take advantage of the strengths of different cloud providers. For example, a bank might use one cloud provider for its data analytics workloads, another for its storage needs, and a third for its disaster recovery and back-ups.
In terms of what’s ahead, Microsoft’s Menicucci mentioned that although vendor selection and supply chain monitoring have long been a focus for banks, the increased complexity and number of third-parties that accompany a larger push into the cloud are necessitating a much greater level of oversight. In particular, banks will increasingly be leveraging third-party risk management platforms and using continuous monitoring and real-time surveillance of vendors.
5. People: recruiting, retention and education
The one area that often doesn’t get as much attention, but is critical in cybersecurity, is the human element. This is a topic that the panel was unanimous in regarding it as a core challenge. Their top concerns centred around three themes: recruiting, retention and education.
Recruiting
Cybersecurity staffing challenges are becoming increasingly common due to the complexity of threats today and the ever-evolving nature of cybercrime. Banks are struggling to find qualified candidates with the right technical skills, particularly given they’re in such high demand.
One of the main cybersecurity staffing challenges is finding qualified staff. This is due to the lack of people with specialized skills and knowledge in cyber security, making it difficult for companies to find the right candidates who can help protect their systems against potential threats.
Additionally, there is a shortage of professionals in certain fields such as network security, software development and data analysis which could lead to a lack of qualified personnel in critical positions.
Retention
Another challenge is the difficulty in retaining talent due to rising salaries, increased competition from other organisations, and often limited career growth opportunities. To address these challenges, banks are focusing their efforts on:
- Providing competitive compensation packages, including salaries, bonuses, and benefits.
- Offering opportunities for professional development, such as training and certification programmes.
- Promoting work-from-home flexibility or hybrid work model that allow employee to work from home and the office.
- Offering retention bonuses to key employees.
- Building a strong and positive reputation as an employer within the cybersecurity industry.
Education
Cybersecurity education for staff has long been a priority in the banking industry, and it is only becoming more important. As MainStreet Bank’s Belinda Tucker pointed out: “The human element is the weakest link. No matter what systems are put in place, training is a priority. It’s something that needs to take place across the entire organisation and it’s not something you do just once a year.“
She further noted that the need for education is also not only reserved for staff. Creating a culture of cybersecurity extends itself to clients as well.
As cyberthreats continue to evolve, banks need to ensure that the training they provide adequately covers the latest security techniques and technology. This includes staying up-to-date on risk management processes, data protection protocols, and emerging threats such as phishing attacks and ransomware.
There is a growing trend of providing role-based security training, which is tailored to the specific responsibilities of each employee. This allows staff to understand the security risks they may encounter in their day-to-day work and how to mitigate them.
Another trend that is becoming popular is the use of simulated phishing and social engineering attacks to test the employees’ ability to identify and respond to potential threats. This helps to identify any gaps in employees’ knowledge or understanding of cybersecurity risks and allows for targeted training and education to be provided.
Additionally, the use of gamification and interactive methods in cybersecurity education are on the rise, as they have been found to be effective in engaging employees and helping them retain important information.
6. Process
Beyond technology and people, a discussion of cybersecurity wouldn’t be complete without touching upon processes. And for good reason: having proper processes in place is critical in cybersecurity. They provide a framework for identifying, assessing, and mitigating security risks. They help organisations to comply with relevant regulations and standards. And they aid in incident response and recovery in the event of a security breach.
According to TransUnion’s Jim Van Dyke, “every breach discloses unique identity credentials, which in turn creates risk of particular identity crimes. The best way to assess individual identity crime risks – as well as to best guard against the risks that a particular breach can bring to any enterprise that uses PII, PCI, or PHI data – is to prescribe ID theft/fraud mitigation steps based on what the risks any particular breach most raises. Believe it or not, this approach is almost never deployed today, and this is what needs to change.”
He is right. A one-size-fits-all approach to cybersecurity is no longer sufficient for banks in today’s increasingly connected world. Cybersecurity threats are becoming more sophisticated and targeted, and it is critical for banks to be able to identify and respond to these threats quickly and effectively. A diagnosis-based approach to cybersecurity is ultimately what is necessity for banks, to allow them to focus on specific areas of risk that require attention.
This type of approach allows banks to customise their security protocols based on the nature of the threats they face, helping to ensure that the measures used are tailored specifically for the bank’s environment and requirements.
7. An ecosystem approach
For RBC’s Rujuta Karkhanis, one of the key concerns and areas of focus she highlighted was around the integration of cybersecurity solutions and strategies across platforms and products. “Banks today are technology-first organisations and they’re leveraging advanced data analytics capabilities to be more intelligent and to help marry legacy systems with advanced technologies. But finding the right suite of products so that the organisation can have a holistic view of their cybersecurity posture is one of the top challenges.”
To address these challenges, banks will increasingly be taking an ecosystem approach to address cybersecurity by implementing strategies and initiatives across (1) business and product lines, and (2) internal and external resources. Some of the key ways banks are approaching cybersecurity in this way include:
- Integrated security management – banks are working to integrate security management across business lines and product lines to provide an overarching view of security risks across the organisation.
- Risk management frameworks – banks are implementing risk management frameworks that take into account the interdependencies and relationships between different systems and technologies.
- Collaboration – banks are working with other financial institutions, technology companies, and government agencies to share information and best practices for addressing cybersecurity risks.
- Cybersecurity standards – banks are adhering to industry standards such as ISO 27001, SOC 2, and NIST Cybersecurity Framework to provide a consistent approach to cybersecurity across their organisation.
8. Resilience
Lastly, though not exclusively related to cybersecurity, Microsoft’s Menicucci brought up how resilience and the concept of “building a bank in a box” is something banks and regulators are currently talking about.
“Building a bank in a box” is the concept of creating a complete, self-contained, and highly secure environment for a bank’s critical systems and data. This environment is designed to be highly resilient and able to withstand a wide range of cyber threats, as well as other disruptions such as natural disasters or power outages.
The idea is to create a sort of a “back-up” or “disaster recovery” infrastructure which can be quickly activated in case of any incident or disaster. This infrastructure would be completely separate and independent of the primary one, and can be used to keep the bank’s operations running smoothly in the event of a major security breach or other disruption.
About the author:
Nick Bilodeau, executive director at Quantum, is a financial services and technology senior executive as well as a recognised industry influencer with over 20 years of innovation, product development and marketing experience.
His work has involved heading teams and projects for leading organisations such as American Express, Fidelity, ING, RGAX, Northbridge, and Canada Life.
This article is sponsored by Microsoft. The content and opinions expressed in this article are those of the author and panel members and do not necessarily reflect the beliefs or practices of Microsoft nor the organisations for which the contributors work.