It is no surprise that banking and other financial organizations are highly targeted by cyber criminals. In fact, Per Statista reported that the majority (571) of 1,244 reported breaches in 2018 impacted general business, while 363 hit medical/healthcare organizations. Banking, credit unions, and financial organizations rounded out the top three with 135 breaches. The government and education sectors completed the top five targeted with 99 and 76 breaches respectively.
Thinking that “it won’t happen to us” is not a viable option, especially for industries that are on the top of hacker’s lists. The financial industry is a major target for obvious reasons. After all, these organizations deal in what attackers want most, money and personal information.
In a 2016 survey, Accenture found that 78 percent of financial institutions were confident in their cybersecurity strategies, yet 1 in every 3 were successfully attacked at an average of 85 breach attempts per year.
The FDIC requires penetration testing for financial institution compliance. Banks, credit unions, and other financial institutions must ensure security and confidentiality of customer information, put controls in place to prevent unauthorized access of information, and make sure customer information is properly disposed of. Improving your data security stance is often times easier said than done, and it can seem like a generic blanket statement for those who aren’t quite sure where to begin. So, where should you start? Here are five steps to get you on the right path for strengthening your financial data security.
#1. Build a Secure Infrastructure
It is imperative to use layered security technologies to prevent security breaches and cyber criminals. This includes updated all business operating systems and applications with the latest security patches, which are released by software developers to address vulnerabilities to computer viruses or hacking.
Taking that a step further, it is important that these operating systems are stored in a secure facility. It doesn’t make sense for most financial organizations to build, own, and operate their own data center facility, but it does make sense to store critical data in one.
There are colocation facilities that focus on maintaining PCI DSS compliance and other regulations for the financial vertical, so you can focus on what is important to your business instead of worrying about staying on top of evolving compliance guidelines.
Your colocation provider should have designated PCI compliance experts who are responsible for maintaining PCI DSS standards, as well as, any other compliance regulations that impact your industry or that of your clients. It is worth checking to see if your provider has a dedicated Chief Security Officer (CISO) on-staff that is available to consult with you on compliance best practices and audit readiness.
LightEdge’s security and compliance professional services simplify the process of improving your security posture. We are here to help you determine which security controls are required to mitigate your identified risks, and improve collaboration and communication during security event mitigation and incident response.
The benefits of using a colocation facility to store your critical infrastructure goes well beyond checking boxes on a compliance checklist. Colocation facilities are some of the most physically secure places in the world.
Colocation providers, like LightEdge, build their facility with security top of mind. LightEdge prides ourselves on being “always on” with zero downtime. In order to achieve the highest level of physical security, here are various layers a colocation facility should have in place:
- Physical Barriers:Barriers such as fencing, thick concrete walls, lone-standing retaining walls and underground environments are some of the physical security that data centers can offer.
- Surveillance: Your colocation provider should have surveillance around the perimeter of the building and at all access points. Camera footage should be recorded and stored for at least 90 days in case an emergency called for it to be analyzed.
- 24/7/365 Live Technicians: Colocation facilities should be staffed by a live technician at all hours of the day. Remote technical hands are key.
- Multi-Factor Authentication: It is best practice for data centers to have multiple check points throughout the facility requiring a variety of data input (facial recognition, biometric hand scan, and pin codes.
- Secure Access Check-in Process: To get inside, everyone must provide a government issued photo ID. A visitor should be accompanied by a facility member and be given an ID badge that limits access to must-go. This will prevent traffic into unauthorized areas of the facility.
#2. Create Strong Security Policies to Reduce Internal Threats
According to the most recent 2019 Verizon Data Breach Investigation Report, there were 45 confirmed breaches associated with misuse of privileges. The details were light on most of these, but tried and true controls are still relevant.
As you know, you should always monitor and log access to sensitive financial data, and make it clear to staff that it is being done and that you have a pulse on any fraudulent transaction attempts. In other words, “Misuse doesn’t pay.”
The report detailed the top threat actors that cause data breaches in the financial industry. They include:
- External threats (72 percent)
- Internal threats (36 percent)
- Multiple parties (10 percent)
- Partners (2 percent)
According to a global study of insider threats reported by IBM, the average cost of a breach involving employees or other internal personnel is $8.7 million. An insider attack also requires extra time, attention, and money to contain or resolve the issue. This results in large groups of employees spending valuable time dealing with the attack and not their business-driving tasks, which negatively impacts productivity.
By creating strong security policies that covers who can access what data, under which circumstances they can access the data, and who they can share the information with.
To ensure that security policies are being followed by internal employees, monitoring of employee activity and content is advised. There are varying levels of monitoring tools that are currently available. The capabilities of these tools include email and webmail traffic monitoring, tracking the websites that employees visit, instant message monitoring, social media monitoring, logging files employees have accessed, and many others.
#3. Combat Social Engineering Attacks
Social Engineering and Phishing attacks were the second most used tactic by cybercriminals when hacking the financial industry this year, reported Verizon. It came in right behind hacking and use of stolen credentials.
Adversaries are utilizing social engineering tactics on users and tricking them into providing their web-based email credentials. So, while the specific action of phishing is directed at a human it often precedes or follows a mail server compromise. There is no law that states that phishing cannot both precede and follow the access into the mail account, there are laws against phishing, however.
There is little that financial organizations can do to ensure that their customers are running up-to date malware defenses or make them “phish-proof,” but spreading security awareness their way cannot hurt. Another way to combat social engineering attacks is to also keep employees on their toes when engaging with emails.
The best way to have employees understand the importance of insider threats and attacks is to have them complete real-life exercises. Creating a hands-on training is a great way to keep staff engaged. Use the results of the exercise to grab the attention of those who may have failed. No longer should negligence or ignorance be a reason for social engineering attacks or phishing attempts.
#4. Educate, Educate, Educate
Financial data security awareness is paramount. As remote workplaces continue to take hold, using email and personal devices to communicate are a daily need. Employees and vendors must be instructed on how to avoid exposing themselves to fraudsters while on these devices.
This includes instructing them not to click on links in emails or texts from unfamiliar sources, verifying the identity of anyone who requests sensitive business or account information, and hovering over URLs to ensure legitimacy before clicking. Financial organizations should also use dual authorization, meaning two separate individuals must authorize a transaction, when making financial transactions, such as electronic funds transfers.
By ensuring that your entire organization from the CEO to the receptionist understands the latest phishing tactics, you significantly reduce the risk of a data breach. Educating employees about the latest security trends is a proactive way to key your company secure. Encourage secure passwords and make sure staff is required to change them frequently. If you detect any abnormalities with security, act quickly to rectify.
#5. Consult an Expert
As a bank, credit union, or other financial organization, you are now being tasked with thinking about security measures on top of the responsibilities you were hired for. There are lots of little tweaks and hacks that can be done to bolster protection, but unless someone is looking at a company from a holistic point of view, it is bound to have vulnerabilities.
Why not seek out experts that solely focus on the compliance and security of your financial data? As the stakes get higher, work with an outsourced organization that can take security off your plate, so you can get back to growing your organization.
Reinforcing a financial organization’s security posture, colocation provides the opportunity to standardize business decisions and determine the optimal place for data to reside. The challenge with that is the added complexity of safeguarding data as it crosses colocation, public cloud, and private cloud environments.
Strengthen your company’s financial data security and compliance posture with a company who has deep experience with PCI. LightEdge is a validated PCI DSS (version 3.2) Level 1 Service Provider. This validates that our in-scope data center facilities meet PCI’s prescriptive security requirements.
Banks and other financial institutions not only house personal and sensitive financial data for their customers, they process high volumes of transactions between accounts every day. Not meeting the PCI 3 requirements could result in failing an audit, thus exposing banks and financial companies to risk of data breaches.
Strengthen your Financial Data Security with the Help of LightEdge
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
Tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems, and processes is critical. Our colocation centers have a plan in place that tracks and monitors all access to network resources and cardholder data.
Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting, or minimizing a data breach. The availability of logs enables tracking, alerting, and analysis when an intrusion occurs. LightEdge also regularly tests our security systems and processes
LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
With geographically-dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? No two businesses are the same. At LightEdge, we work with you to find the right mix of control, security, and cost for your Cloud Hosting and IT service needs. Contact us today for your free security assessment.
- What are Effective Information Security Policies for the Banking Industry?
- How to Determine if your Business is PCI Compliant
- Seven Common E-Commerce PCI Compliance Myths Explained
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- Why the Cloud is Safer the CIOs Believe: 6 Best Practices for Data Security
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment
- Cost of Ownership: Public vs Private Cloud Showdown
- Why Virtual Private Cloud Will Make You Reconsider Your Cloud Infrastructure
- What Every Business Needs to Know About Dedicated Private Cloud