Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Matt Deres
Matt Deres
Connect Directly
E-Mail vvv

Banks and the New Abnormal

Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.

With businesses starting to reopen after the COVID-19 shutdown here in Massachusetts, I am already tired of hearing about the "new normal." We're nowhere near hitting anything approaching "normal." We're certainly never going back to where we were on March 1, but no one knows where we'll be when a vaccine is discovered and we can go to the grocery store without taking a Silkwood shower when we get home. We're in the middle of chaos, and IT departments are just trying to juggle the day-to-day issues related to remote workforces and new security risks.

But that will change sooner than we think. Companies everywhere are declaring working from "anywhere" as the new standard for their employees, and so many cybersecurity teams are already planning for the uncertain future. And that future is going to be radically different than anything we've seen before. If you've been waiting for the next great leap forward (and were around for the invention of the transistor), you may be in the right place at the right time. The planet is facing an unparalleled challenge, and the fixes will not be incremental. Strap yourself in for a hell of a ride.

Most innovations in banking are slow and linear, but right now we're seeing myriad new consumer-driven changes affecting how people use their money and disrupting the industry. These include the expectation for contactless payments, card-not-present payments, and instant payments. In Australia and some European countries, these immediate payments are taking over for long-standing money-transfer systems like ACH, wires using SWIFT networks, and other credit card batch settlement methods. Things have gotten faster, and they're changing dramatically.

Here's why: Since the advent of electronic communication as the primary means of sharing information — roughly the past 35 years — there has never been a disruption like the COVID-19 pandemic. We've had mega-disasters like 9/11 and Category 5 hurricanes that have upturned payment methods and banking, but they've all been regional in scope and not enough to change broad behaviors. This is why regulators managed by the Federal Financial Institutions Examination Council have an ever-extending checklist of "must-dos" for banking security controls. With the challenges of the current pandemic, the current banking anti-fraud and security infrastructure is now being severely tested.

Along with the banking product changes, banks have thousands of employees working from home on nonsecure Internet connections, which has created unprecedented challenges. Ditto for billions of dollars being wired or mailed to taxpayers. We need to rethink what we're doing from the ground up. After all, we don't know if we will ever be back in our offices again, and if we do, whether people will come in every day. Is COVID-19 the beginning of a permanent work-from-home revolution? Will the idea of the central office even matter in two years or will everything be decentralized? Those are the questions we need to ask ourselves every day.

So what do we do? For starters, we need to reimagine the VPN. The basic concept is sound, but most private networks were designed for a "spoke" model rather than thousands of independent access points. And multifactor authentication (MFA) can no longer be an auxiliary or perimeter security measure. It needs to be baked into the front lines of defense.

And that's just for remote access. What about reconciliation and fraud detection? Is a daily balancing really good enough anymore, or do banks need to adopt real-time updates to prevent unauthorized access and transfers? Do we need a full, across-the-board, zero-trust approach?

The good news is that the infrastructure to supporrt all of this is very strong, and it exists right now. Most banks use mainframes, which are incredibly fast and reliable — not to mention difficult to improperly access. MFA tools are already in use, but they're not universally deployed. Zero trust exists, but many institutions are wary of the effects of end-user inconvenience.

Banks have been hesitant to adopt many of these practices — and for good reason. But now is the time to make the next bold step. Security has always been important, but now it's  non-negotiable. Banks need to do whatever they can to keep their assets, and those of their customers, as safe as possible.


Matt Deres is senior vice president and chief information officer at Rocket Software, a Boston area-based software development firm specializing in application modernization and optimization, where he oversees IT strategy for the company's domestic and global operations. He ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Shih-Chin Yang
Shih-Chin Yang,
User Rank: Apprentice
8/24/2020 | 12:24:04 AM
We all have a lot to learn for working-anytime-anywhere
For software companies, it might be easier to adopt a working-anywhere-anytime model, since their deliverables are digital in nature.

On the other hand, for incumbent industries such as banking, a lot need to be learned to make sure a smooth and secure transition. MFA(or 2FA) and use of strong passwords are just basics, but inconvenience seems to be the excuse of not using it.

There are other measures such as

. Not to send confidential information over Email;

. Encrypt your confidential data before sending it to cloud;

. A secure knowledge or content management for distributed workforces with access controls for different groups of people;

From a broader perspective, the first wave of cloud services adoption is to know that they are very great for productivity. As more and more people concerned with their data privacy, an extra layer of protection such as end-to-end encryption is to make sure no third-party could look into customers' data.

Banks are indeed in a race to protect their core business, and not to lose to the competition, especially technology companies.
User Rank: Strategist
8/22/2020 | 12:23:31 AM
end-user banking security is universally awful

Along with the infrastructure and employee security you talk about, banks are desperately in need of upgrades to end-user security, which is universally awful.

Most banks' idea of end-user security is blocking VPNs, imposing ridiculous captchas, and using security questions any third-rate hack can find answers to on social media or the dark web.

If a bank is not offering app- or token-based MFA and forces users to turn off their VPN before accessing their site then they have no business being in the banking business.

I'm not a guy who wants federal solutions to all (or even most) problems, but insecure access to a bank seems to me a clear place for regulation. FDIC needs to require banks to offer robust end-user security options like app or token MFA (knowing that technologically challenged users won't use them) as a condition of their charter.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.