Pub. 7 2019 Issue 3

ISSUE 3. 2019 5 A s of October 2019, IBM esti- mated that the average total cost of a data breach is now $3.92 million USD. That’s a global number. If you consider just the U.S., it’s worse: $8.19 million. The average number of records per breach is 25,575. Another problem is the fact that cyberattacks are increasingly frequent. The University of Maryland estimated in 2018 that cyberattacks take place every 39 seconds. As important as it is for a bank to pro- tect the money from its customers, a security breach is not just about money. It’s also about customers continuing to trust you with their money. What can you do to protect your bank? The obvious answer is to buy protection in the form of a state-of- the-art security system. That will do a lot to prevent problems, but any security program becomes ineffec- BANKING SECURITY AND CULTURE tive if it isn’t implemented correctly. What you need, in other words, is more than a security system. You need a culture of security. How do you create one? The first step is making commitments about building a security-oriented culture at the very top of the organization. It takes money and attention to buy resources and then to integrate the resulting security system into the bank’s business processes, so you need to make sure that key deci- sion-makers support your efforts. How do you gain their support? Bankers understand money, so put the argument in terms of financial risks. Suppose a security problem takes down a server for two hours. Two hours of downtime may not seem like much if all you are looking at is time, but you have to look at how many employees were affected and how much you paid them to stand around waiting for things to get fixed. According to the PayScale website, the average salary at U.S. banks is $69,000 annually. That works out to more than $33 per hour. If you calculate how much it costs to have a server down for two hours, the result might be as much as $1,650. Two lost hours are not going to make anyone pause. Two hours that cost $1,650, however, probably will. Treating security as something that can be added on the back end of the plan- ning process doesn’t work; there’s too much chance that something important will be missed, and that the bank’s se- curity will be compromised as a result. Ideally, security has to be integrated with any new services or programs right from the beginning, and then maintained from that point on. Eval- uate each job role at the bank in terms of how that job can contribute to the bank’s security. When changes need to be made to current systems, it is also important to complete a security review before making the changes, and to resolve any potential issues before those changes are actually put into place. → By B.J. Weight, Security Services, Inc.