Data Security for Banks: Standards for Success
Originally published by New Context.
Data breaches are perhaps the single most significant risk that banks face today. In the financial industry, the cost per data breach averaged about $5.85 million in 2020. Aside from the direct costs involved in these breaches, like lost funds, increased insurance expenses and fines, and penalties, institutions also must contend with the indirect costs. Loss of reputation and consumer trust are not easy to quantitatively measure, but it’s guaranteed the price is very high.
Unfortunately, banks need to face an ever-evolving set of threats because of the nature of their business. They hold sensitive financial records that bad actors are known to target, and with methods that are always shifting. Consequently, security cannot be static to meet these threats. It must be a continuous process to monitor and respond to new risks as they emerge. Also, compliance needs to be built into the overall process to meet the stringent privacy regulations for the financial industry. Data security for banks is undoubtedly a challenge, but a holistic approach may make it easier to manage.
Data Threats in Banking
Managing banking threats and monitoring data is much more complex today than it was in the past. Historically, banks only had to control access to physical paper records by placing them in a vault and protecting their perimeter. While the digital landscape made banking much more convenient, it also opened it up to a whole host of threats. Stores of data with valuable personal information attracted the attention of cybercriminals who used a range of attacks to gain access. Some of the common types of threats include:
- Distributed Denial of Service: A DDoS attack involves overloading a network with traffic to make it inaccessible to its intended audience. Typically, the requests come from a botnet comprised of traffic from IoT devices, computers, and websites. This was the case in the 2016 attack on Dyn servers that disrupted much of the internet and took down experienced players like Reddit, CNN, Twitter, and the Guardian.
- Malware: Installing malware on company computers is perhaps one of the more straightforward methods bad actors use to gain access. They target individuals without security knowledge, like low-level employees, and send them an email or other attachment that includes the program. Ransomware is often spread this way and is a significant threat to the banking industry. In this case, the goal of the attack isn’t to use the customer data directly. Instead, it’s to lock the bank out of it and force them to pay a ransom to regain access. Costs associated with ransomware attacks exceeded $1.3 billion in 2020 in the U.S. alone.
- Backdoor and Supply-Chain Attacks: This is a particularly nefarious form of attack because it stems from the original software creator or provider. The company places a backdoor in the program, usually for the purpose of providing support or offering additional updates. However, bad actors may take advantage of that backdoor to steal data, install malware or hijack devices. In some cases, backdoors are even placed in programs specifically with that intention. This is something that was alleged in the case of Huawei. A backdoor was discovered in their mobile device network that some argue was created with the intention of gathering data from users and selling it. This, among other actions, would eventually lead to a nationwide ban on the company’s products.
- Insecure Third Party Services: The best security in the world won’t help a financial institution if there are holes created by third party providers. Consider again, the 2016 Dyn server attack. Major companies were impacted by the failure of that third party because their businesses were so closely interlinked. This is of particular concern in the financial industry due to all the various outside providers connected to the financial transaction process.
- Unencrypted Data: There’s no guarantee that institutions will always be able to keep their data out of the hands of bad actors. Even when networks are secure, there’s still the potential of lost employee devices or stolen servers. Data encryption offers another level of security. If the bad actors can access it, they still can’t decipher it. Data that is unencrypted is at higher risk because it poses a major temptation for bad actors.
Aside from these cyber-space-based attacks, banks also need to worry about potential physical attacks. The theft of a server—or more likely an employee device that connects to the banking system—attack. That’s why an innovative security approach that protects data at multiple levels is ideal.
Managing Data Security for Bank
Maintaining data security in the financial industry isn’t just the job of the CTO or CSO. It’s something that needs to be integrated into every single role in the company, from the board of directors to the customer service representatives. While there are many nuances to data security in banks, managing it can be broken down to two categories: data in transit and data at rest.
While the risks created by data in transit and data at rest are slightly different, many security protocols standard in banking apply to both. These include:
- Device access restrictions: It’s not enough to simply tell employees not to use unapproved devices. The ability to log onto the company network remotely with an unauthorized device should be restricted. The same goes for plugging any types of peripherals into a company device. Device management, whether it be personal devices or company devices, needs control at the individual level.
- Encryption: Encryption is a secondary line of defense in case the primary security precautions fail. Encryption ensures that, even if an attacker gains access to the data, it is unreadable and, therefore, unusable. Typical standards include Rivest–Shamir–Adleman (RSA) and Advanced Encryption Standard (AES).
- Open Source Cyber Threat Intelligence (CTI): Modern cybersecurity management is challenging. This is especially true for banks, which face a continually evolving risk of threats specific to the financial industry. The ability to share information regarding these threats and work together to mitigate them is essential in plugging potential exploits.
- Integrated Gramm-Leach-Bliley Act Compliance: Compliance with the act that regulates the protection of nonpublic personal information (NPI) of consumers and clients is vital. It should be built into the system to ensure proper encryption, appropriate access standards, and threat monitoring and protection.
- Security as Code: The “Pets versus Cattle” metaphor is a common one in server management. Pets are treated with individual attention, given unique names, and carefully protected. Cattle, meanwhile, are treated as commodities and are easily replaceable. The rise of the cloud has driven the need for most firms to take a “cattle” approach to their servers. However, this directly contradicts the common requirement in financial firms to treat unique datasets as “pets.” Security as Code makes data protection a fundamental part of the pipeline, meaning that servers can still be treated like cattle while providing the high-level protection that sensitive databases require.
- Infrastructure as code: Through this, computer data centers are controlled via machine-readable definition files as opposed to configuration through physical hardware. This strategy increases system scalability and minimizes risks like manual misconfiguration stemming from human error.
This is by no means an exhaustive list of measures for data security for banks, but it does establish a common need—the ability to automate and integrate security standards at all levels, whether data is in motion or stored in a repository. Using infrastructure tools to integrate hardened security processes like automation and orchestration alongside compliance, monitoring, and permissions helps manage massive amounts of data while ensuring the crucial safety of customer information.