Last year, a comprehensive IT security report published by the U.S. Government Accountability Office detailed the inner workings of 15 major and minor depository institutions, as well as where and to what degree these banks, credit unions and perhaps even the rest of the financial sector continue to fall short of the high standards the GAO and other regulatory bodies expect from 21st-century businesses operating at such a high potential for cyber attacks.
Inflexible IT: The financial sector's worst nightmare
GAO showed widespread failure to create, organize and analyze incident reports and other documentation related to security deficiencies. Not only does this information help banks and other depositories continually improve in targeted, substantial ways, but it also helps regulators to better rely on incident report data and subsequent findings gleaned from bankers as a means to tailor industry-wide examinations so they can account for emerging threats.
This is hardly the only cybersecurity trouble the banking industry faces today, and it will certainly have many hurdles to traverse in the coming years. Innovations like mobile payment applications and cryptocurrency, as well as the ever-mounting sophistication of hackers will keep the financial sector plenty busy. So, while GAO constructively criticizes banking for lacking the capacity to learn from their past mistakes - in a sense, literally - its cybersecurity shortcomings only emphasize how truly unprepared these institutions may be for the future. After all, incomplete cyberthreat documentation is often more of a clerical, administrative oversight than a technical one.
Advanced IT service management suites combine incident, problem and change management, as well as other useful modules, into a single platform, allowing enterprise technicians and developers to integrate new code into their configurations painlessly and securely. ITSM software typically includes documentation recall and other such services which can aggregate data to export it into ad hoc reports or combine it with other data sets which can be used with configurable dashboards. Features like these enhance the transparency of vital information for both users and regulators, leading to more actionable intelligence and more agile cybersecurity standards for the industry as a whole.
And therein lies the crux of the matter; out of principle, regulators do not endorse specific products or services guaranteed to afford compliance. How could they? No such thing exists. Compliance, after all, is less like a finish line after a long-distance run and more like a constant game of juggling where a partner adds bowling pin after bowling pin to the spectacle. Drop one and risk losing your once-captivated audience (read: happy customers, stock prices and credibility).
Since we've discussed how intelligent ITSM suites could help financial IT reorganize processes for more resilient protection, let's look at what advanced change management resources could do to more directly prevent breaches:
Data breaches from flawed configuration
With so many different types of cyberthreats out in the world ready to pounce on unsuspecting financial service providers, human error may be the most insidious and ineradicable of them all. In a 2016 Verizon Data Breach Investigation Report, "miscellaneous errors" topped the list of most frequent causes of data breaches, many of them involving processes IT should manage, such as the safe disposal of sensitive data, lost or stolen enterprise technology and system misconfiguration. Ninety-three percent of the time cybercriminals need only a few minutes to turn these regrettable mistakes into compromised security events.
The answer: Assign computers to handle all these repetitive, intricate tasks. Automated dependency mapping through a CMDB or regression testing on all incoming code support strong configuration without increasing workloads for enterprise IT teams or subjecting them to duties deemed to be too highly prone to human error.
Regulatory breaches caused by complexity
Compared to cybersecurity regulations in other industries, the intricacy and mutability of compliance in the financial sector could pose risks in and of itself.
Updates ranged from the specific (see the Office of the Comptroller of Currency's Semiannual Risk Perspective chronicling the need for greater third-party vendor oversight throughout finance) to the general, like the Cybersecurity Act of 2015 and President Obama's executive order "Promoting Private Sector Cybersecurity Information Sharing," nearly all of which to one degree or another tear down vital data barriers separating private entities from the government or independent regulators and erected foundations for transparency in their stead.
Since change is the only constant, businesses operating in the financial sector require an enhanced ability to shape their system configurations with speed and accuracy, no matter how high regulators set the bar. To that end, smarter ITSM software supported by an agile ITIL framework gives financial institutions the opportunity to develop scalable service management schema and take advantage of truly continuous delivery.
Breaches of trust between companies and customers
A 2014 Semafone survey revealed exactly how consumers feel about remaining loyal to businesses after they put customer data in jeopardy. For a lost email address, 3 out of 4 customers believe they probably or absolutely would never shop with said company again. Nearly 87 percent would likewise decline to do business if credit or debit card details were imperiled. Imagine the scale of the exodus away from financial institutions that mishandled truly sensitive data, let alone the effect such a move could have on the economy.
Way back when, a decently sized lockable vault used to be all that mattered for financial institutions. These days, financial institutions must protect currency and data in all its forms, for regulators, for customers and for their own sake. As regulations and cyberattacks continue to convolute and businesses glean more information from different places to improve service, customer expectations for data security will not wane. Data breaches are no longer accidents, but signs of possible technological negligence. Building and maintaining a secure ITSM foundation, therefore, has stopped being merely a differentiator between organizations, but what everyone anticipates. Fail this test, and a banking organization may lose customers for good. The importance of advanced IT service management strategies to combat threats and meet customer expectations, therefore, cannot be understated.