By: Alex Shanteau, Security Engineer, MAD Security | June 27, 2019

When assessing growth strategies, it’s important to consider the security implications brought forth by them as they relate to your current security posture and business goals. In this blog, we will discuss mainstream organic growth strategies – such as scaling and demographics, increased product offerings, and infrastructure changes – and how best to navigate the security challenges most often presented.

Organic growth strategies can be broken down into three main categories, with some overlap inherently included in each.

Scaling and Demographics
One such strategy banks pursue is either broadening or deepening their targeted demographics. Broadening a demographic means pursuing specific customers for product categories, such as small business banking. Deepening a demographic would mean focusing on customers that have multiple product requirements, i.e. both investment and banking needs. Banks may also focus on particular demographics such as acquiring newly graduated students whose banking needs will grow over time.

Expanding access for customers through scaling and demographics comes with added security challenges. These include an increased attack surface cultivated from both the increasing number of technologies required, and the amount of customer data being protected. Serving a variety of customer generations can also lead to additional security challenges. For example, different-aged generations may not fully understand security concerns and be more vulnerable to scams or other risky scenarios.

Increased Product Offerings
Another strategy is increasing the number of products offered to customers. Digital banking, mobile applications, automated financial health checks and investment advice, along with other products, are increasingly being offered as integrated solutions.

Similar to the challenges faced by demographic and scaling strategies, as additional product offerings are developed and deployed, banks will require an expanding arsenal of technologies to support these offerings. New technologies and new integrations with old technologies can increase the attack surface of an organization. This increased attack surface can lead to additional attack vectors and vulnerabilities, if proper access controls, encryption, and configurations are not applied these integrations can be exploited to the detriment of the bank. Mobile banking applications are an excellent example of this. Mobile applications are a newer technology that will require effort to ensure that both the mobile application itself and its interaction with existing banking systems are well fortified.

Infrastructure
One final strategy banks pursue is a change in how they build out their infrastructure. As modernization occurs, banking is increasingly done entirely online, diminishing the role that physical branches play. In addition, outsourcing technology platforms plays a key role in modernization as the economies of scale that third-parties can offer can be quite attractive to banks.

There are several security considerations that come along with these migrations. In particular, regional and smaller banks may not have the capabilities to aggressively pursue technology and may not have the in-house expertise to monitor and manage these new technologies. Without these capabilities, banks can be effectively blind to vulnerabilities and configuration issues created by modernizing their infrastructure. Cloud technologies such as AWS and Azure are attractive for decreasing hardware costs, but come with a multitude of configuration options that can impact security. Architecting this environment securely, as well as ensuring these environments are properly monitored is key to ensuring that these migrations have a net positive effect on an organization’s security posture.

 

What Can Banks Do?

Each of the security challenges brought about by different organic growth strategies can be mitigated through proper planning and implementation.

Customer Protections
With the influx of different customers that may not be security savvy, banks can implement several things to ease this burden on customers. Externally, one solution is to offer security training to customers. Simple educational tips such as reminders to never share a password, or that the bank will never ask for personal information over the phone or email can go a long way towards keeping customers safe from malicious actors. Internally, one strategy is to implement behavioral analysis. When properly implemented this can alert on suspicious activity and ensure that customers and banks assets are further protected.

Technology Advancements
When deploying new technologies, banks must take steps to ensure the proper configuration is implemented, while also ensuring ongoing maintenance is performed regularly. Banks that do not have the required in-house expertise to guarantee that this is performed effectively can partner with experts within the space to consult, validate, and implement these technologies securely.

Monitoring
When transitioning infrastructure to online, utilizing third party vendors, and increasing the interactions between offered solutions, banks should ensure that they can be properly monitored for malicious actions across all offered platforms as well as correlate these events to build a picture of how the attacks originate and proliferate. This also ensures that a rapid response can be initiated as soon as an attack is detected, minimizing or even eliminating the damage done.

Conclusion
In conclusion, banks are attempting to grow organically through a number of strategies. However, these strategies come with a number of security concerns, including increased attack surface, additional people concerns, and a lack of expertise with new technologies. While organic growth strategies have risks associated with them, they can be negated as long as these risks are taken into account and properly addressed.

If you have concerns or questions about anything security related, please feel free to reach out to us!

 

Alex Shanteau
Alex Shanteau is a Senior Security Consultant with MAD Security. He has experience in the information technology and cybersecurity domains and has worked extensively performing technical and GRC assessments as well as supporting MAD Security’s Managed Security Services across multiple industries. Other highlights include writing and delivering training for the US Coast Guard, network modeling and evaluation, and presentations on a variety of topics relating to cybersecurity.