Data breaches have been on the rise in the financial industry for over a decade. To create a plan to protect against breaches, we first have to understand more about the threats and where they originate. The assumption is that only outsiders compromise confidential information, but effective cybersecurity policies must guard against internal threats as well.
A cybersecurity program is only as strong as its weakest link. Unfortunately, people make plenty of mistakes. In fact, human error accounts for 90% of cybersecurity breaches. The reasons for the shortcomings are many. Employees are busy multi-tasking, so much so that 40% of reported security breaches are caused by negligence. This also contributes to successful phishing attacks in financial institutions — employees are often in a hurry and click on information that looks legitimate, but is actually malware. Lastly, taking shortcuts to get around company security checks unknowingly expose sensitive information.
Let’s not forget that there is also that percentage of disgruntled employees who know where your system’s “bodies” are buried. They have access to sensitive information or they gain access to desired data surreptitiously. They could have the potential to wreak more havoc than outsiders. Therefore, it is crucial that there is a secure system in place to deprovision employee accounts upon termination, and manage the appropriate permissions for individual employees while they are still employed.
The Data Deluge
Safeguarding information is challenging. Cloud, mobile applications, and social media provide banks with new paths to lure and serve customers. As a result, the volume of worldwide data will increase from 33 zettabytes (1 trillion gigabytes= 1 Zbyte) in 2018 to 175Zbytes in 2025, a 26.8% Compound Annual Growth Rate (CAGR), according to International Data Corp.
Financial organizations have legal obligations to protect not only current and former customers’ financial history, but also their “nonpublic personal information.” If not, they may face censure from federal agencies, like the National Credit Union Administration (NCUA), Federal Deposit Insurance Corporation (FDIC), and Security and Exchange Commission(SEC); and fines under industry laws, like the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, and the Fair Credit Reporting Act as well as a series of state regulations. In sum, protecting sensitive data is paramount to a community bank or credit union’s mandate.
An Expanding Attack Surface
The job of limiting access to financial information becomes more challenging as the possible attack surface becomes wider. A financial institution must be able to safeguard all of the data generated, stored, and moved at all of its entry and exit points.
A hacker need only find a small hole in a bank or credit union’s cyber defense to be successful. Cybercriminals constantly probe for such holes because data breaches have become a large, lucrative, and growing business. In fact, Juniper Research projects that cybercrime will cost businesses over $2 trillion in 2019.
A hacker attacks a system somewhere every 39 seconds, according to a study at the University of Maryland. Dan Schulman, CEO of PayPal, noted that the typical American business gets attacked about 4 million times a year, while financial services companies are attacked over a billion times annually. The headlines are filled with so many stories about successful attacks that although this is not “hot” news anymore, each one has the potential to cause severe financial damage.
Hackers notified the Bank of Montreal, Canada’s fourth-largest bank, that they had records of 50,000 of its customers. Canadian Imperial Bank of Commerce, Canada’s fifth-largest lender, also fell victim with 40,000 of its customers.
The bad guys are not just targeting big firms: 43% of cyber-attacks are aimed at small businesses. A community bank, National Bankshares in Blacksburg, VA, with assets of more than $1 billion, fell victim to two separate phishing attacks.
Ultimately, the damage extends beyond cleaning up the compromised data. Headlines often accompany major security breaches, and a business’s reputation takes a significant hit that may make it impossible to recover.
What Can You Do?
Now that you are aware of the severity of unintentional and deliberate data breaches, it may be time to review the policies and procedures that you have in place. Do you need to tighten the security reins for the systems that you use? Banks and Credit Unions typically have high turnover rates among frontline staff, so the chances of clerical errors or discontented employees opening up holes in your cybersecurity defenses are entirely plausible.
What can you do to protect confidential information? Identity Access Management (IAM) systems track user system activity. Provision™, Exclamation Labs’ flagship IAM product, tracks every system data access point creating a clear historical log of permissions. IAM systems also automate the previously manual processing of system permissions, make it easier for organizations to protect sensitive information, and more importantly, make it easy to be sure employees only have access to what they need. By very clearly assigning role-based permissions to groups of employees, such as “tellers,” you are able to ensure the proverbial reins are tight. Statistically, your financial institution is likely to be under attack both internally and externally. The question is, “What steps will you take to defend yourself?”
Need More Information?
Wondering if your financial institution is at risk of a breach? Schedule a demo today!