These days, it seems like the latest data breach is detailed in breaking headlines on a daily basis. Not even large, high-profile companies such as Target, Home Depot and Neiman Marcus are immune. According to the Identity Theft Resource Center, there have been 679 data breaches as of late November 2014, a 25% increase over the year-ago period.
Breaches are only expected to continue as consumers and businesses alike utilize Internet-connected devices for all types of transactions, many of which include sensitive information. Just this summer, financial giant JPMorgan Chase experienced a cyber-attack that compromised the accounts of 76 million households and seven million small businesses. Customers’ personal information including addresses, phone numbers and emails were taken.
The financial sector is taking note. In October, the Depository Trust & Clearing Corporation’s (DTCC) Systemic Risk Barometer found that 84% of financial institutions ranked cyber risk as one of their top five concerns. In addition, 76% of respondents indicate they have allotted an increased amount of their budgets to shore up security practices. So what security tactics can financial institutions invest in to fend off cybercrime?
Two good places to start are to establish a proactive vulnerability management plan and implement basic security protocols such as network segmentation. 2014, “The Year of the Data Breach,” provided a plethora of lessons that bankers can take into 2015 and turn the tide in the war against cybercriminals and their harmful attacks.
Many financial institutions merely employ a “check the box” security plan to meet security needs and reach compliance standards. This “set it and forget it” type of approach to prevention is not effective. In today’s digitally connected world, a thoughtful, active approach is necessary to fend off attacks. According to the DTCC’s white paper, “Cyber-Risk: A Global Systemic Threat,” a cybersecurity program “designed to only meet existing requirements or exclusively address known threats offers inadequate protection in today’s cyber landscape. Current cyber threats evolve and move quickly and, as such, legacy methods of defending an infrastructure are likely to fail.”
With this in mind, a proactive vulnerability management plan should be the cornerstone of any security strategy. It’s essential that banks frequently hunt for vulnerabilities and remediate them immediately – before a breach can occur.
Cybercriminals are continuously changing their tactics to gain entry to internal systems and the sensitive data that’s stored there. They can be countered by remediation activities such as updating patches or software to alleviate weaknesses. Leveraging an Intrusion Detection & Prevention system (IDS/IPS) enables banks to monitor the multiple access points to their internal systems for suspect activity, which would include access via mobile technology as well as social media. Specifically, an IDS identifies and analyzes any unauthorized access to the system and alerts administrators of questionable activity or weaknesses.
An IPS goes one step further, immediately countering the attack. In addition, modern IPSs have internal databases of attack behaviors and characteristics and are capable of preventing both known and unfamiliar intrusion signatures. Combining an IDS and an IPS allows administrators to review the detection process, as well as the corrective actions taken to mitigate the threat once identified.
In the case of Chase, the breach began in June, but went undetected until August. This is a startling fact. A proactive security strategy that actively scans systems for vulnerabilities could have alerted the bank that their internal IT infrastructure and customer information had been compromised. Simply put: the best defense is a good offense.
The Target breach taught another important security lesson. It’s simple: focus on the basics. One of those security basics is to segment networks. In Target’s case, the step of segmenting the payment data network from the rest of its corporate network was not taken or not properly implemented. Many experts agree that if network segmentation was properly in place, it would have been much more difficult, perhaps impossible, for the cybercriminals to succeed.
It may not sound glamourous, but separating core banking networks and systems containing customer data from internal networks used by bank employees in daily operations is a must for financial institutions. Equipped with a more robust budget and staff, larger banks are able to take action to protect their systems against cybercrime. But, many community banks are lagging behind. One reason for this is that community banks have allowed mandates around compliance to drive changes focused on security. This has proven to be short-sighted, risky and, given the high frequency of attacks, unacceptable.
Driven by increased pressure to safeguard internal systems, the gap between industry standards for security and compliance is closing. It may seem like a large task to embark on a proactive security strategy but one should be budgeted for and acted upon to protect the IT environment and to secure the sensitive data held within it.
Mr. Scicluna is chief business development officer of Chicago-based Xamin, which provides managed IT services for community banks, healthcare and other highly regulated industries. He can be reached at firstname.lastname@example.org.