While attending a recent Wall Street Technology Association (WSTA) seminar in New York, I participated in a discussion with other members (financial institutions) and service providers around the topic of data security. I think it’s safe to assume that everyone acknowledged the cost of handling a data breach far outweighs the cost of proactively securing data as long as the threats are broadly identifiable in advance. However, a vast majority of financial institutions are still working towards a more proactive and less reactive approach to handling this common problem. As the diversity of types of data and their physical locations continues to expand, the threat of stolen data and DDoS attacks is increasing exponentially. As a result, firms are having to be more diligent which requires collaboration between the business, application and infrastructure stakeholders.
Below is a summary of six key things on every IT department and compliance officer’s mind when it comes to the corporate governance of their organizations’ cyber security framework and infrastructure.
Business Architecture and Secure Data
Most secure data threat-modeling efforts take an asset-centric view (i.e. which of your IT assets are the most critical). Taking this approach, 30-40% of assets are often deemed ‘critical’. A better approach is to start with business architecture to determine criticality from a business perspective.
Looking Ahead: Cybersecurity Meets Physical Security
Cyber attacks against financial services institutions are becoming more frequent, more sophisticated, and more widespread. One sophisticated bank heist involved hackers eliminating the withdrawal limits on prepaid debit cards and common street criminals making more than 2,000 ATM withdrawals. New York City prosecutors noted that this is one of the biggest heists in city history.
According to a cyber security report by the New York State Department of Financial Services, a vast majority of institutions – irrespective of size – utilize a wide variety of security technologies aimed at systems monitoring and preventing a cyber breach. While most financial institutions have deployed anti-virus software, spyware, firewalls, vulnerability scanning tools, and encryption, many firms are still exploring data loss prevention (DLP) tools and policies and procedures around cloud computing.
Stop Moving the PII
PII stands for Personally Identifiable Information. We all have it, and the criminal element wants it. With this information, a hacker can create a credit card account for you, not just use your existing account. Financial services firms need to ensure that they properly authenticate their users without moving the clients’ information to places where it can become vulnerable.
The BYOD Dilemma
Many firms are moving to a Bring Your Own Device (BYOD) solution where employees use their own phones, tablets, laptops on the company network. This approach requires a well-thought-out data security strategy for selecting and separating user and corporate data, selective encryption, user and device blocking and wiping, mobile content management (MCM) and access control. Global companies should pay even closer attention. In Germany and France the individual owns the data on their device.
Data Loss
Approximately 66% of data loss is due to human or system error from an insider. The cost of a data breach starts in the millions of dollars. Most organizations do not have the knowledge or experience to identify all of the gaps in their infrastructure. Prevent unauthorized information disclosure or exposure by encrypting files, using audit trails and dynamic permission controls with a security solution that can monitor data at rest, data in transit and data in use.
Contact Center Fraud
Ever wonder why automated menus at a bank’s contact center take so long? It’s partly because they’re conducting a fraud investigation. And if they’re not, they should be. Fraudsters are known to be repeat callers to the same call center and to stay ahead of them, financial institutions will need flexible architectures that can support a repetitive analysis while regularly refining the criteria to catch new trends and patterns.