SPONSORED CONTENT FROM VELOCITY SOLUTIONS
By Albert Steed, CIO, Velocity Solutions
As our digital world evolves and our day-to-day activities become increasingly facilitated by technology, the opportunities for cybercriminals to access confidential information, steal identities and misappropriate funds also increase exponentially.
Financial institution executives and their technical staff need to be especially vigilant in maintaining the security and privacy of their account holder data. The financial services industry was the hardest-hit industry targeted by cybercrime in last few years. Consumers also have reported a 400% increase in identify theft from 2017 to 2018, with nearly 60 million consumers being impacted by some form of identity theft in 2018¹. The news is even worse for 2019, as it’s currently tracking to be the worst year ever for data breaches. In the first six months of 2019 alone, over four billion personal records were exposed².
There’s no question that cybercriminals’ tactics are evolving more quickly than the technologies in place to prevent them. Fortunately, there are measures that community banks can take to ensure the highest level of data security and account holder data privacy.
Community financial institutions should make sure their security policies contain these five essential elements:
1. Data security needs to be a company-wide focus
Years ago, before the concept of cyber security became a ubiquitous corporate concern, this type of responsibility may have been handled entirely by the IT department. But as technology reliance has permeated almost every facet of every industry, systems have become more cloud-based and remote employee access has become more prevalent. The opportunities to infiltrate sensitive company data have increased in proportion.
What is the biggest vulnerability facing financial services firms? According to the IBM Cyber Security Intelligence Index, a whopping 95% of successful cyber-attacks are caused by human error. Cybercriminals often target the weakest point in financial firms’ security: their employees. Through lack of proper education and communication of corporate data privacy policies, a simple mistake such as installing malware or responding to a phishing email can lead to catastrophic data breaches.
Technology alone cannot prevent cyber-attacks. Every financial institution needs to build its human firewall through employee education at all levels of the company, clearly communicated data policies, and an ongoing focus on data security best practices, led by each department manager.
2. Confirm the Security Protocols of All Parties in Your Data Chain
Banks and credit unions face one of the greatest challenges in the data security landscape, because a major breach could compromise their account holders’ account information, personal information and debit card details. This is why it’s essential to perform security due diligence on all participants in your data chain: your partners, your vendors, and your vendors’ vendors—essentially any party that will be taking confidential information out of your firewall.
While there have been many large, publicized data breaches over the past few years, one of the biggest examples of errors made down the chain was the Capital One breach in July 2019 that exposed the personal information of 100 million customers³. The accused hacker had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, according to the Justice Department. Due to her previous connections, she was able to gain access by exploiting a misconfigured web application firewall. It is of paramount importance that when looking at third party providers that will have access to your confidential data that all reasonable security measures and practices are put into place to limit the chances of a data breach.
Fortunately, there is an industry standard best practice for reducing third-party security risks: requesting and reviewing each partner’s and vendor’s SOC Type 2 Report. This report lists organizational controls, puts parameters around them and is audited at least once every year. Any vendor that processes your customers’ or members’ sensitive information should produce a SOC 2 report.
SOC 2 reporting helps to create trust and establishes each party’s credentials for providing financial services. They demonstrate that their internal controls meet security best practices, otherwise known as the trusted services principles (TSP). The American Institute of CPAs (AICPA) defines these five TSPs as:
1. Security
2. Availability
3. Process Integrity
4. Confidentiality
5. Privacy
3. Review Your File Transfer Protocols to Avoid Debit Card Reissues
Information associated with your account holders’ debit cards can be especially catastrophic if compromised. Nowadays, it’s become commonplace for consumers to receive reissued debit cards in the mail with the brief explanation that their card may have been “compromised” with no further detail. Not only does this alarm the consumer, but in this digital society, we have almost everything set on auto-pay. We have debit cards attached to our monthly bill payments, our retail accounts at Amazon, Target, eBay, etc., and even stored for our favorite pizza delivery service! It’s an enormous hassle for consumers to update all of their profiles, and the act of reissuing mass amounts of cards is a huge financial burden to the financial institution.
Careless file transfers are a leading cause of data breaches. Carefully review your institution’s file transfer protocols. When data is being transferred outside your firewall, be sure that your employees are utilizing secure file transfer protocols and encrypting the data. Data needs to be encrypted not only during transit but also at rest, to avoid having account numbers, tax IDs or any other sensitive data left insecure and vulnerable.
If your bank or credit union encounters a breach situation requiring thousands of debit cards to be reissued, fortunately there are financial service companies that can help you repair the resulting drop in consumer usage due to trust issues or inconvenience. Such vendors are skilled in motivating consumers to increase their debit card usage in small steps, leading to progressively dramatic increases, and often provide the marketing tools and analysis necessary for a successful program.
4. Implement Defined Rules, Roles and Responsibilities for Client Data
How does your bank or credit union handle sensitive client data? Who has access to it? And what is your security protocol? With any company that handles consumer financial information, the employees in every role—from interns to C-Levels—need to realize that such data cannot be downloaded, emailed or saved on an external device. Such data cannot be left on desks, displayed on computer monitors unattended, or simply discarded without first being shredded. The reality is that most data breaches, while caused by human error, are unintentional. Or, your employees might be perfectly following your internal security protocols, but one shares the data with a vendor who then mishandles it.
While training and education help and a company-wide security policy is essential, one of the most important safeguards for preventing data breaches is to limit the access to sensitive data. Define your roles and level of access to various data. Perhaps you have teams within your bank or credit union who need access to review sensitive records, but only a select few very experienced individuals should be entrusted with transferring and storing such data.
It’s also critical to periodically review access levels to confidential information and adjust as necessary as roles change within your financial institution.
5. Prioritize System Updates and Application Patching
In many companies, the technical focus is often on “newness”—the newest operating system releases, new programs, new tools, new hardware, etc. And in this fast-paced digital world, it’s very tempting to shift priorities away from critical maintenance to focus your resources on what’s new and probably more exciting.
Don’t let your bank or credit union fall into this trap. Because systems are changing and evolving so quickly, numerous vulnerabilities arise frequently in these systems and they need continuous attention and maintenance. Firmware updates and system patching need to be kept on a disciplined schedule. Make sure that your tech team has the resources they need to devote adequate time to maintaining your company’s infrastructure and managing all system vulnerabilities.
What’s important to point out is that system patches need to be applied promptly and proactively. Even the slightest delay could result in disastrous data breaches, such as the case with Equifax. In September 2017, hackers were able to access personal data of nearly 143 million Equifax customers.4 The simple explanation: a flaw in a software tool that wasn’t promptly and properly patched, leaving the company’s data vulnerable.
If something so catastrophic can happen to a major credit bureau, it could certainly happen to a community bank or credit union. A data breach can lead to loss of consumer trust, public criticism, job losses, and a devastating hit to your revenue.
If your bank or credit union does not have a recently-updated data security policy, the time to start addressing that is now.