10 risks and cybersecurity strategies for banks in 2023

Cyberattacks are becoming more frequent, and they’re costing companies more as well. The average cost of a data breach for a U.S. company in 2022 was $9.44 million, up from $9.05 million the previous year. As the financial services sector grows more digitized and the volume of electronic transactions surges, the industry is even more susceptible to cyber-based perils.

In 2023, 10 cybersecurity hazards in particular could cause significant disruption, but financial services companies can implement specific, proactive cybersecurity strategies to mitigate risk.

Cybercriminals are taking advantage of financial services companies’ increasing embrace of and reliance on cloud services, so cloud security controls are critical. Once threat actors gain entry to these cloud services, they target sensitive information, which they then alter, steal, destroy, or use to gain reverse access to the organizations’ internal networks.

The most serious vulnerabilities often stem from cloud misconfigurations, unrestricted cloud management platform access, and lack of visibility of cloud infrastructure. The resulting attacks can expose sensitive information, grind operations to a halt, and inflict substantial financial losses.

Key prevention and mitigation strategies:

• Engage a cloud access security broker (CASB) that can provide an extra layer of protection between the cloud service and the organization's network
• Work with the CASB to monitor and enforce security policies and provide visibility into and control over cloud use

Employees, vendors, and other individuals who have access to sensitive information can pose a risk to an organization – whether they intend to or not.

Insider threats can take various forms. Sometimes, individuals misuse sensitive information for personal gain, such as theft of confidential customer data or intellectual property for financial profit. But other threats come from more innocent and accidental actions, such as someone sending an email containing confidential information to the wrong recipient.

In just two years between 2020 and 2022, the number of insider threat incidents worldwide rose by 44%.

Key prevention and mitigation strategies:

• Conduct thorough background checks on all employees and due diligence in vendor management
• Provide regular security awareness training
• Implement strict access controls to sensitive information
• Lean on technology solutions such as data loss prevention tools and activity monitoring software

Legacy systems are systems that have reached an end-of-life or end-of-support stage from the vendor, making them vulnerable to security threats. These older systems often lack defenses against the latest and most sophisticated threats to cybersecurity in banking, so organizations that use legacy systems risk security breaches and data loss.

Spending on legacy systems can drain IT resources, too. Between 2010 and 2020, about three quarters of IT spending by corporations and governments worldwide went toward operating and maintaining existing IT systems.

Key prevention and mitigation strategies:

Banking leaders and their cybersecurity teams must work together to address the problems of legacy systems.

• Assess the organization’s technology landscape
• Devote the necessary resources to modernize systems

In the past few years, more financial services companies have woven IoT devices into their infrastructure and operations. As a result, IoT is rapidly transforming how financial services organizations function, from point-of-sale systems to smart locks, wearables, building automation systems, and mobile devices.

However, this rapid proliferation has also created new cybersecurity risks that organizations must address. Despite the widespread adoption of IoT devices in the financial services industry, these devices often come with few security measures. Many devices lack basic security features such as encryption, authentication, and access controls. These security limitations make some IoT devices a soft target for cybercriminals.

Key prevention and mitigation strategies:

• Assess where IoT is being used within the business
• Limit access of IoT devices to the information and systems needed to perform their functions
• Build a comprehensive plan to manage and secure all IoT devices

Cybercriminals often explore supply chains and exploit the weakest security link by compromising software, hardware, or other system components before information gets delivered to the end user. The results of these attacks can be devastating, with consequences ranging from data breaches and theft of sensitive information to disruption of operations.

In 2022, the average cost of a supply chain attack was $4.4 million, and the average life cycle of an incident for U.S. companies lasted 303 days – 26 days longer than the global average.

Key prevention and mitigation strategies:

• Perform due diligence and risk assessments for all suppliers
• Apply secure software development practices
• Create a strategy for regular monitoring and detection of potential supply chain risks
• Consider using only secure hardware, software, and services from trusted suppliers
• Implement secure configurations and access controls
• Build an incident response plan that identifies critical assets, establishes clear roles and responsibilities, and outlines contingency plans