Finserv Data Security: Key Concerns for Banks & Credit Unions
18 data security professionals address key concerns for banks and credit unions when it comes to securing sensitive information.
Banks and credit unions face the same data security concerns as any other business, plus a few additional worries given the highly sensitive nature of the data these organizations manage – not to mention the sheer volume of individuals who stand to be impacted should security measures fail.
The Equifax breach served as a barometer-of-sorts on the financial industry's risk profile. This widespread data breach highlighted the need for a shift from a focus on risk mitigation within the institution itself to considering a broader risk profile and the need for more comprehensive security that reaches beyond the walls of the institution. Now, banks and credit unions are increasingly taking a closer look at the risks posed by third-party relationships and managing risks incurred as a result of necessary infrastructure upgrades, all while grappling with regulatory uncertainty and a more complex threat landscape as threats like ransomware continue to grow.
To learn more about the top data security concerns facing banks and credit unions today, we reached out to a panel of data security pros and asked them to answer this question:
"What are the top data security concerns (or mistakes / misconceptions) for banks and credit unions?"
Meet Our Panel of Data Security Professionals:
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution that provides HIPAA-compliant, managed, dedicated, and cloud hosting.
"For financial institutions, cybersecurity remains a focal point..."
Cyber threats like the Equifax breach, which affected more than 140 million people, are changing the way security is viewed. Banks contribute an incredible amount of resources to proactively identify vulnerabilities that hackers may try to exploit. But at the same time, hackers continue to adapt and find new entry points. As banks continue to upgrade their technology and implement workflow changes, they must also be vigilant to avoid the mistake of creating new access points for criminals.
Keri Lindenmuth is the marketing manager at KDG. For over 17 years, KDG has been helping businesses improve their processes, their customer experience, and their growth.
"One of the biggest mistakes banks or credit unions can make when it comes to data security is..."
Not having a BYOD, or Bring Your Own Device, policy. Are employees using their personal devices while in the office? Do they have work email on their cell phone? Are they working on work documents on their home computer? Without a clear policy in place to regulate what anti-virus software, apps, and programs your employees should have, you're putting data in danger.
Come up with a policy: can employees take their devices home and work? Can employees work on personal devices at all? If so, what anti-virus program should they be using? What email app should they be downloading? Should two-step authentication protect their personal devices? Protect your data and your business's future with a heavily enforced policy.
"The two most frequent mistakes I see banks using are..."
Improper use of HTTPS to secure their users and silly password rules. Banks and credit unions should make their entire website use HTTPS. They should not use HTTP anywhere. If someone enters an HTTP address, it should redirect to the HTTPS version. They should also use the HSTS header. This lets browsers know to automatically go to the HTTPS version without requiring the web server to redirect them. Thus your customers never touch the insecure HTTP version of your site. You can also request for browsers to preload this into their software here. Why is this important? Any traffic to a website that uses HTTP, even if you are redirecting them to your HTTPS site, can be sniffed by someone else on the same network and hacked. If a customer checks their bank account on an HTTP website, a hacker could easily intercept and redirect the visitor to a fake version of your website.
Forcing ridiculous password rules is another mistake banks and credit unions are well known for. The silliest of these rules is to disallow copying and pasting of passwords. Most security professionals recommend using a password manager to create, copy, and paste passwords from. Another incorrect rule is what the password should look like. At the end of the day, the longer the password, the better. This means authentication systems shouldn't limit password length.
Ian Felder is the senior manager of product marketing at Digital Guardian, bringing over 16 years of marketing experience in both start-ups and Fortune 100 companies to the role. Prior to Digital Guardian Ian was at Hologic and Signiant, Inc.
"“What are the top data security concerns for credit unions?"
According to the latest Credit Union National Association (CUNA) monthly report, Credit unions are growing. This can be attributed to lower fees, better interest rates and lower operating costs when compared to larger banking institutions. However, the Financial Services sector on a whole remains one of the top five most likely targets for attack. Cybercriminals are well-funded, well-organized and increasingly more difficult to detect. Like the larger institutions, Credit Unions must remain secure while balancing evolving data privacy regulations and customer expectations.
Here are three of the top data protection concerns:
- Regulatory compliance challenges – must be nimble and proactive to navigate the evolving frameworks. Utilize the NCUA Automated Cybersecurity Examination Tool (ACET)
- Insider threats - implement organization-wide strategies and solutions to manage and control privileged access for both staff and third-party vendors
- Risk management and Incident Response – must create policies and programs to understand risk posture as well as what to do in the event of an attack. Socialize the policies and rehearse the response plan. Risk programs should also take into account the size and scope of the credit union, and allotted budget for cybersecurity protection must scale with that growth.
Alexi Pappas is the Senior Auditor at Carolinas IT. Alexi is formerly a Network Security and Compliance Manager for a SaaS startup business in the Triad. She has a bachelor's degree in Network Security Management and is pursuing her CISA and CISSP certifications. Alexi has an extensive background in agile product development controls, SOC 2 Type II Audit Reporting and has consulted for vendors on compliance strategies, audit policies, and regulations.
"Most conglomerate banks and credit unions typically have..."
Quite a few mistakes and/or misconceptions on what good data security practices should consist of. Having conducted numerous IT Audits for National Credit Unions using the NIST cybersecurity framework, I have seen business objectives solely rely on implementation of a 'good banking product,' but forget to design security into the mix. Mobile banking applications and platforms rarely undergo internal security penetration testing, which is a critical piece of the puzzle if you are committed to proactively secure your banking members' information. Although a lot of banking application and development is outsourced, the vendor does not always guarantee a penetration test against their platform (even after upgrades) to test the security functionality of their product and service delivery. It is recommended to thoroughly review master service agreements with your third parties to distinguish the security responsibilities.
Nate Masterson is the Marketing Manager for Maple Holistics.
"The top data security concern for banks and credit unions today is..."
Your identity. The thing about digital accounts, and accounts in general, is that it’s your money we’re talking about; and with something that important, we need your identification information. That means that if the bank is hacked, your identity is left exposed. The bank’s security protocol is to scramble the information in the system, which as of now is an acceptable solution to the problem. However, since identity theft is an ever-expanding industry on the black market, it needs to remain a priority and a concern as a security protocol is only effective until it’s not.
James Doggett is the CISO and SVP North America of Panaseer. James previously served as the Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente, and was Managing Director of JP Morgan Chase, the division responsible for Security Services IT Risk.
"Contrary to popular belief, for most banks, the biggest data security concern is not someone stealing money..."
While banks certainly should continue to keep bad actors from absconding with the cash (physically or digitally), most security efforts go towards protecting the bank's reputation and meeting regulatory requirements in reality. While the loss of actual money can be harmful to a bank, the impact of the inappropriate disclosure of customers' personal information usually has far greater negative impacts in terms of loss of customer confidence or regulatory fines.
Similarly, the impact of a successful ransomware attack, while there is no direct loss of money, can have massive financial impact to a financial institution in terms of loss of business. And how do banks best defend against reputational and regulatory losses? Banks need to focus on the basics of security (cyber hygiene) where most breaches occur. Yes, the latest technical exploit is important to defend against, but only after shoring up the basics of Enterprise Cyber Hygiene.
Daniel Blank is the CEO at Hornetsecurity, responsible for sales and consulting. He is an executive IT consultant with over 13 years of experience in selling complex IT products. He's been active since 2008 in various management positions in the cloud security environment, and since 2014 served as the Managing Director at Hornetsecurity.
"Email remains the most important communication method for companies..."
Including financial institutions that use it for sales and customer support. The GDPR strictly regulates the handling of personal data. Information like names, addresses, birthdates, account numbers, and other private data must be encrypted to protect it from unauthorized access. That makes email conversations with customers more complicated. Individual email users typically lack the technological wherewithal to use S/MIME or PGP encryption for everyday correspondence.
It's not only an issue in the sales process, but it also makes it difficult to offer customer support. Therefore, banks or credit unions need a protected method to encrypt emails, even if the recipient doesn’t. One possible solution might be TLS enforcement, attachment encryptions and WebSafe.
Paul Love is the Chief Information Security Officer for CO-OP Financial Services, a provider of payments and financial technology to credit unions. Paul has more than 25 years of experience in risk management, financial services, and technology and was previously the Senior Director of Governance, Risk and Compliance at Freddie Mac.
"The top data security concerns for banks and credit unions are..."
Having a full inventory of your data, the value of the data, and the protections needed for the data.
The first part is having an understanding of the data that resides in your environment (transmitted, processed, and stored) so that you have situational awareness and an understanding of the scope of your information security program. The inventory includes the full data life cycle of creation to destruction as well as where data is stored, how it’s transmitted, how it’s processed, and when/how it’s destroyed.. You can’t protect what you don’t know about, so it's crucial that you have a full inventory of your data.
The second part is understanding the value of the data, which helps you determine what levels of protection to put in place. Data that is internal only, but not sensitive, doesn’t need the same level of security as highly confidential business data. This valuation helps to contextualize the risk and helps to focus the information security program and controls the systems and data that matter.
The final aspect is understanding your control environment. When you understand the protections in place, you can identify gaps and respond to issues regarding data.
As a founder of Vestige, Greg has been involved in the digital forensics field since 2000. He is responsible for the creation of Vestige’s infrastructure and continues to oversee the process of standardizing and streamlining Vestige’s forensic analysis to provide consistent high-quality results in a timely basis.
"As business email compromise (BEC) becomes more prevalent..."
Banks and credit unions need to make sure that they have proper procedures for transfer of funds, payment of bills, etc. Namely any kind of transfer of assets should have checks and balances in place for values over a set amount based on the bank or credit union's acceptable level of risk. Those procedures should include a verification of asset transfers by means other than email (such as phone) and communicating of wire instructions through a means other than email (such as through a secure website). Banks and credit unions should also check on the security surrounding any account numbers, login credentials, or personally identifiable information (PII) that are being stored. Do not trust that this data is secure; always verify. Nearly every day I work with a client that tells me one thing only to find out that isn't the case when we ask to have it verified or ask for proof.
Daniel Desko is a leader in the IT Audit, Security and Risk Advisory services practice at Schneider Downs. He is responsible for managing and leading a team of IT audit, security, and risk professionals with diverse experience and skill sets for a wide range of clients across multiple industries. He is also responsible for project delivery, management, and overall quality control.
"Here are some of the top data security concerns we have seen..."
- Lack of Data Identification - In our ethical hacking travels we have run into many instances where we need no more than get access to someone's email or local file share in order to have enough data to characterize it as a data breach. We run into loan officers and others who store so much PII in their email or locally on their machines. Banks and CUs don't do a great job of controlling data once it leaves the core systems.
- Bank and CU personnel highly susceptible to social engineering - Let's face it, most bank and CU personnel are taught to serve the customer at all costs, this makes them a great target for social engineering campaigns. We were doing a penetration test with a bank where one of our testers walked into a branch asking about a loan. Fifteen minutes later he had convinced the loan officer to let him plug a flashdrive (with our custom malware) into his laptop to show him his budget. This allowed us to fully compromise their network eventually. Phishing is of the same high level of concern, we are often very successful bypassing security controls through simple phishing messages with malicious payloads.
Robert Siciliano, CSP, the #1 Best Selling Amazon.com author and a security expert with Hotspot Shield, is serious about security awareness training. Robert is a security expert and private investigator fiercely committed to informing, educating, and empowering people so they can protect themselves, both in their physical and virtual interactions.
"The top data security concerns for banks and credit unions revolve around client insecurity..."
Financial institutions spend tremendous resources on security, but the path of least resistance into their networks are their clients devices. A simple phish or clicking the wrong link can compromise a clients device and allow entry into the FI's network and into the clients bank account. Banks have forever swept security information and education under the rug. As a result, their clients blame them for breaches and everyone loses.
Security awareness education has never been more important and banks and credit unions are in the best position to offer it to reduce theft and fraud.
Ian Thompson is Head of Data Services at Assured Data Protection. With over 20 years' experience in business continuity and disaster recovery, Ian’s career boasts heading up the data protection for a major British high street bank and other large enterprises including a one of the UK’s biggest B2B telecommunications companies.
"Data security isn’t a single solution, particularly when it comes to finance institutes..."
It must be a multi-layered approach to every aspect of data storage, data access, data protection, and data destruction, whether in transit across local or remote networks, or at rest on local disc storage or on backup media. Storage engineers will provide highly redundant and preferably encrypted storage platforms for primary data. Likewise, network teams will create encrypted site to site connectivity. The server teams should harden, and regularly patch server operating systems, however data protection and destruction is still an often overlooked area of data security.
Jacob Lunduski is a Financial Industry Analyst at Credit Card Insider. His mission is to stay up on all news regarding the well being of consumers and organizations in the financial sector.
"As mentioned in the ABA Banking Journal..."
Security and cyber risks remain at the top of most lists for financial institutions of all sizes. Last year's Equifax breach affected more than 140 million Americans and showed how banks currently handle security risks today.
- Financial institutions that are continuously working to improve their infrastructure should be on the look out for increased risks as a result. The ABA mentions that banks have to reevaluate the process that they just modified to ensure the new process has controls around it. The more technology upgrades and workflow changes to monitor, banks have to avoid creating new entry points for criminals.
- Financial institutions should always know who their third parties are. Banks' increasing reliance on third parties create larger downstream risks. Institutions should vet all their vendors and know exactly who they're subcontracting with.
Kristen Ranta Haikal Wilson
Kristen Ranta Haikal Wilson is the VP of Product and Marketing at PasswordPing, where she is responsible for linking product innovation to a comprehensive go-to-market strategy. In 2016, Kristen helped found PasswordPing, an innovative cyber-security startup. Prior to PasswordPing, she was a Senior Director at CA and she has had many diverse marketing and product management roles at Rally, SSA Global, Oracle, Siebel Systems, and Black & Decker.
"One critical thing banks and credit unions should be doing is screening for compromised credentials..."
Compromised credentials from data breaches have become the new attack vector. They undermine the integrity of an essential security layer and leave your workforce and customer accounts open to penetration, fraud and PII loss.
Billions of username and password combinations are circulating on the Internet and Dark Web from a record number of 3rd party data breaches. Since most people reuse passwords across multiple websites, cybercriminals can obtain credentials that can be used to gain unauthorized access to your corporate network or customer accounts. Even if your site has not been breached, your customers and workforce are at risk due to password reuse. For banks, the stakes are even higher since unauthorized authentication into customer accounts can lead to financial fraud and employee accounts can be leveraged to access sensitive financial systems.
For your banking customers, account takeover (ATO) attacks drain loyal customers’ accounts of value and personal information resulting in billions of dollars in fraud and damage to brand reputation.
Steven J.J. Weisman
Steven Weisman is a lawyer, college professor at Bentley University who teaches White Collar Crime, and a nationally recognized expert in scams, identity theft, and cybersecurity. Among his books is Identity Theft Alert. He also writes the blog Scamicide, where each day he provides new information about the latest scams, identity theft schemes, and cybesecurity developments.
"With more and more people doing their banking online, digital security is of critical importance..."
Digital security is achieved through both proper use of technology and education of customers. Some basic elements of a security plan are:
1. A strong and unique password for the customer's banking account. Too many people use the same password for all of their online accounts which puts them in increased danger of their account being hacked if their password is compromised in a data breach at some other online account. In addition, people often use passwords that are easily cracked by software used by identity thieves.
2. Security questions are another essential element of account security. Too often, people are offered limited security questions, the answers to which, such as a person's mother's maiden name, may be easily discovered by an identity thief. An identity thief who has the answer to the security question can change the password of the account easily. The simple solution to this is to pick an answer to the security question that is nonsensical. You will remember it because it is so silly and no identity thief will be able to guess it. For instance, you could use Grapefruit as your mother's maiden name.
3. Dual factor authentication where, most commonly, a one time code is sent to the customer's cell phone in order to gain access to the account on line is helpful. However, even paranoids have enemies. Clever scam artists, the only criminals we refer to as artists, have been able to change the SIM card of a targeted victim's phone such that the code will be sent to the identity thief's cell phone. This is called porting. The easy way to avoid this problem is to have a unique, complex password to be used as a requirement to change the SIM card.
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating, and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
"Banks and credit unions must ensure that..."
Their employees undergo continuous training on cyber security awareness and best practices, including how to spot phishing emails and the importance of using strong passwords that are changed on a regular basis and never shared with anyone. However, employee training is not enough. People make mistakes, and malicious insiders who purposefully violate the rules will always be an issue. Financial institutions must also implement technological defenses to augment the “human factor” in their cyber security plans, such as:
Don’t Forget the Human Factor
Technological tools alone cannot protect online security. Hackers, for example, got into both Sony Pictures and the DNC’s email servers not by exploiting a technological vulnerability but through a spear-phishing campaign. Because spear phishing emails are notorious for slipping through email spam filters, the best defense is simple employee training. Employees should be taught how to recognize the signs of a phishing email, such as emails that are worded oddly, use foreign/British spelling, or otherwise seem “off.” Additionally, since there is no such thing as 100% protection against a hack, organizations should prohibit employees from sending sensitive information, such as Social Security numbers and check images, through unsecured email.
Snail mail can be shredded or burned, but electronic communications are immortal. Even when proper email etiquette is followed, emails routinely contain proprietary information that could severely harm an organization’s competitiveness if it were to be leaked. It is every bit as important to secure email servers as it is to secure databases and payment systems.
Brian NeSmith is the Co-Founder and CEO of Arctic Wolf.
"Banks and credit unions often make the mistake that..."
Security and compliance are the same when it comes to data security. Compliance is a snapshot in time of the controls you have in place. It’s great for understanding what went wrong, but it does not help to prevent data breaches. Data security must focus on detection, which involves identifying and remediating security incidents as they occur.
A proactive data security strategy focused on compliance is similar to driving by only looking in the rear-view mirror. It's important to see where you came from, but it does not help you navigate your course to get you to your destination of securing customer data and maintaining the trust of your customers.