As Moore’s Law celebrates its 50th birthday, the cumulative results of its impact can be seen everywhere. While it’s true that Gordon’s famous algorithm has required some slight adjustments over the years, its ominous prediction has nevertheless achieved a status that approaches prophecy in IT circles. As first stated by Intel’s visionary co-founder, the law predicted that the number of transistors we can fit onto a square inch of space will double every year. In the past half-century, this forecast of constant doubling in our raw computational power has gradually slowed, first to eighteen months, then to around two years, which we use as a rule of thumb today. It’s not a surprise. After all, today we’re working at the atomic level with these things. Still the law’s premise is the same: We humans are getting really smart—really fast.
I’ve heard Moore’s Law been referred to countless times in my career. I’m astounded however by one of its most profound and rarely linked effects: The knowledge we amass and store from all these micro-transistors and compounding CPU power is accumulating at a similar rate! This means that today we know more about our world, its history, and its make-up, than any of our ancestors could ever imagine. Our children carry smartphones with free and immediate access to services like Google and Wikipedia. They literally have the collective experience of our species at their fingertips. Many kids today are learning to write computer code before they’ve taken their first grammar lesson! This is simply amazing.
How does this affect cybersecurity and the financial services industry? Look to your TV or favorite web browser for some daily indications. Nations are at war with one another using this power as a new weapon, which has the potential to devastate whole societies if properly harnessed. We know (and sadly accept) that our most personal and very intimate details have been confiscated. Reference the scandals at Anthem Insurance, Target, the IRS, the OPM, and so many others as examples. Scarier still is what damage hackers can do when they unleash the power of Moore’s Law to deduce our thoughts and behavior using nothing more than metadata, which ships out in ever-increasing detail with each data breach.
Banks and credit unions are some of the world’s biggest and most attractive honey pots. Not only do they own our personal data, but they hold our money, a concept adopted globally by mankind and used today more than ever for people to simply live and eat. A well-executed attack can not only cripple a bank, it can render their customers destitute in a matter of seconds.
As consumers, many of us have taken on the mentality of ‘security by obscurity.’ Like herds on the savannah, we know there is great danger in our environment, and hope that our anonymity among the crowd is one of our best protections. After all, what else can we do when everyone from Disney to the NSA has our credit card numbers? This is a false hope. In the fields of cyberspace, the predators aim to kill the entire herd.
Yet we continue to enjoy the benefits that the accumulated knowledge of Moore’s Law delivers. We communicate instantly via social media and have come to expect the instant gratification that our apps deliver: groceries on our doorstep, a cheap ride to the show in an unfamiliar city, and even sex—if I may be so bold as to note the huge popularity of Internet pornography and other sex-services like recent victim AshleyMadison.com, along with its millions of subscribers.
Banks and credit unions alike are keenly aware of the demand. We’re building mobility into our systems as fast as we can. We realize that without consumers having instant access to our services, many of our companies will cease to exist. Institutions at the lower end of the asset size scale are particularly at risk in this arena, having neither the budget nor the manpower to maintain security while simultaneously scrambling to build increased mobility into their offerings. Indeed at the very low-end, in companies smaller than say $50 to $100 million in assets, many IT departments consist of a single person, if those companies can even afford to dedicate resources to the area. Oftentimes in these companies, the IT department is someone’s side-job, or network administration is a fully outsourced affair. Today, in the credit union sector where I work, there are just over 6,000 credit unions across the nation, with some 25 percent or so managing under $100 in assets.
What does all this mean? Now, more than ever is the time to be prepared. This is true for financial institutions everywhere, whether public, private, or not for profit. It’s not a matter of ‘if’ a breach will occur, it’s ‘when,’ if it hasn’t already happened inside your company. Management at all levels must make cybersecurity a top priority, regardless of asset size, particularly at smaller institutions. We cannot afford to turn a blind eye towards cybersecurity in our own companies. We cannot surrender our fiduciary responsibility to the myriad technobabble and acronyms of IT department. We must take a position of ownership and active management towards this crucial area of our operations. We must educate ourselves in the methods and yes, the language of cybersecurity. We must populate our boards with people who are knowledgeable in these matters. We must grant cybersecurity a permanent place near the top of our boards’ agendas, constantly measure our companies’ cybersecurity posture, and record our progress towards full cybersecurity maturity. We must truly commit to educating our employees and customers as well. We must dedicate both capital and human resources to these efforts, no matter how small we are. We must make the immeasurable knowledge that Moore’s Law has helped us compile work in our favor, not in the favor of a few thousand really smart but dangerous criminals. If we do not, we may as well admit our helplessness, hand over our customers’ money, and go home.