Phishing, malware, ransomware and a host of additional fraudulent activities continue to target financial institutions. While history has shown that well-designed single-focus solutions can prove useful in stopping specific attacks, the capabilities of advanced malware are now so broad and sophisticated that such protections inevitably fail – opening the way to costly data breaches and other malicious attacks. What is perhaps most frustrating is that Verizon’s Data Breach Investigation Report indicates that 97% of attacks were easily avoidable.
To establish a secure IT network and be better protected in the digital world, banks should employ a strategy that places many uniquely tailored layers throughout their networks, from the end user to the Internet. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. For example, if a malicious email message should make it past the firewall, it would then be countered by the mail server’s antivirus, and if it somehow makes it through that layer, it can be stopped by the workstation’s antivirus system.
A uniquely tailored layered security approach enables financial institutions to:
- Monitor antivirus for servers, workstations, and off-site laptops;
- Using services that evaluate site lookups to avoid exposure to compromised websites;
- Monitor unusual activity on networks as well as defend against hackers and rogue employees;
- Block access to all external ports while also monitoring the access of various machines;
- Meet government regulations and requirements;
- Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware; and
- Patch machines, encrypt laptops, and install alerts on new devices plugged into the network.
Government Regulations and Guidance Around Security Expectations
There are also regulatory requirements and expectations for banks to invest in proper security. Layered security and compliance policies have come under increased regulatory focus recently, which is evident with the release for the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook. In addition, the responsibility of securing confidential customer information is mandated by the Gramm-Leach-Bliley Act of 1999. This law established that financial institutions must protect their IT networks from attack and identify any possible breaches that manage to bypass these protections.
This guidance is always changing, and financial institutions must adapt to regulatory demands. IT auditors and examiners will look for evidence of a thorough risk assessment; make sure that written policies and procedures align with the assessment; and then verify that controls and daily practices are appropriate.
Each financial institution will have a different security approach based on its unique risks, but all financial institutions should implement a security plan that can effectively prevent attacks, assess vulnerabilities and constantly update security measures as new technology assets are added and government regulations evolve.
For more information please download our complimentary white paper, Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program.