Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Talk ColumnBanking/Finance/Insurance

Would You Pass the Cyber Test?

About 200 banks in New York took part in a cybersecurity “exam” in which they were made to respond in real time to questions about their cybersecurity policies and procedures.

By Diane Ritchey
Cyber Test
February 1, 2014
Cyber Test
Tom Kellerman

 

Late last year about 200 banks in New York took part in a cybersecurity “exam” in which they were made to respond in real time to questions about their cybersecurity policies and procedures. The test was designed to help the banks see how they compare with their peers in terms of being ready for attacks by cybergangs looking to break into their networks.

According to one cybersecurity expert, it’s not the test that is needed. Instead, what’s required is a change in focus from trying to stop distributed denial-of-service attacks to prevention.

Tom Kellermann, managing director with global professional services firm Alvarez & Marsal and former Commissioner on the Commission on Cyber Security for the 44th Presidency, says, “These banks also need to be focused on how to preserve their payments systems, insulating their organizations from credential theft and, most importantly, how to identify when a modern-day bank robber is already in the vault. In the past these smaller community banks were not on the radar of these global cybergangs, but they are now, and because they have fewer resources to put into this area than their large commercial bank counterparts, they are deemed more attractive targets.” The issue, he says, is how to prevent account takeovers, attacks on payments systems and wire-transfer systems and how to protect the IDs of users.

In addition, Kellermann suggests that the banks need to ensure that their third-party partners that store their data in the cloud are aware of threats and are shoring up their own systems. Another suggestion, he says, is giving their CISOs more autonomy, more money and the resources necessary to have current technology and practices. “The safety and soundness, trust and confidence of these financial institutions is directly proportional to the cybervision of the organization,” Kellermann says. “They should be viewing cybersecurity not as an expense, but as a function of doing business.”

 

How does one “insulate” a bank from credential theft?  

Financial institutions must manifest continuous monitoring of their security controls to ensure that they have cognizance when they are under attack and particularly aware of when sensitive data is being exfiltrated. CISOs must reevaluate their security paradigm. The security architecture of “castles in cyberspace” must shift to one of a “prison” that is inwardly focused and one that limits the leakage of credentials. We need to move beyond perimeter defenses like firewalls and encryption, for although these security controls are foundational, they’re insufficient to combat organized cyber bank heists. The following 13 strategies should be enacted:

  1. Develop a current Cyber Protection Strategy based on cyber reality.
  2. Conduct penetration tests of all third parties.
  3. Use two-factor authentication.
  4. Conduct egress filtering.
  5. Assign multiple personnel to review logs.
  6. Deploy file integrity monitoring.
  7. Implement virtual shielding for zero day exploits.
  8. Deploy a data loss prevention (DLP) solution.
  9. Implement whitelisting.
  10. Use a custom sandbox.
  11. Access global threat intelligence.
  12. Refine Incident Response plans. 
  13. Retain a forensics partner.

 

How does a smaller bank, with fewerresources, accomplish this? 

Start by crafting a forward leaning cybersecurity strategy wherein offense informs defense. Limit administrator privileges; deploy two-factor authentication; deploy a DLP; and assess the security of your shared service provider and cloud provider. All of these things will be paramount.

 

How does educating bank staff play a role in these efforts? 

Security is only as strong as your personnel’s cyber hygiene. Educational efforts must be robust and include the continuing education of cybersecurity professionals as well as the monthly education of the board per how the institution’s risk posture has changed due to events in cyberspace.

 

How should a bank audit its third-party providers? 

Begin by educating your general counsel to move away from standard Service Level Agreements. These are far too focused on “up time” and must extend your security into the providers network to prevent the “island hopping” cyber attacks that use third-party systems to transit into your network. Conduct a security gap analysis with a vulnerability assessment of the third-party provider systems with mandatory timely remediation.

 

Are there other sectors that could or should conduct a cyber test? 

Outside of the financial sector, the most targeted businesses are Biotech, Pharma and Hi-Tech. All of these sectors must begin to “scrimmage” more as they are under attack now.    

KEYWORDS: bank cybersecurity cyber test penetration testing two-factor authentication

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Diane 2016 200

Diane Ritchey was former Editor, Communications and Content for Security magazine beginning in 2009. She has an experienced background in publishing, public relations, content creation and management, internal and external communications. Within her role at Security, Ritchey organized and executed the annual Security 500 conference, researched and wrote exclusive cover stories, managed social media, and authored the monthly Security Talk column.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Stanley/Niscayah leadership team

    Beyond the Numbers: What the Stanley-Niscayah M&A Means for You

    See More
  • SEC1019-talk-Feat-slide1_900px

    Have You Chosen the Right Person to Lead Your SOC?

    See More
  • Diane Ritchey

    You Breach, You Pay?

    See More

Related Products

See More Products
  • facility manager.jpg

    The Facility Manager's Guide to Safety and Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing