Author: Brendan McGowan

Brendan McGowan is Safe Systems’ Chief Technology Officer. He oversees the development of strategic technology solutions that enhance our customers’ ability to manage IT in a compliant manner. He also oversees the Safe Systems cloud infrastructure and provides guidance to our professional services teams. McGowan graduated from Georgia Southern University with a Business Management degree in Information Systems.
14 May 2020
Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

  • Experimentation
  • If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

  • Fast Turnup and Fast Turndown
  • Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

  • Elasticity
  • The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

  • Serverless Functions
  • Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

01 May 2020
Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

  1. Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
  2. Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

  • Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
  • DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
  • URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
  • Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

27 Feb 2020
Top 3 Cybersecurity Threats CEOs Need to Be Aware of in 2020

Top 3 Cybersecurity Threats CEOs Need to Be Aware of in 2020

Top 3 Cybersecurity Threats CEOs Need to Be Aware of in 2020

We recently conducted a sentiment survey to ask our community bank and credit union customers about their top worries for 2020. Cybersecurity was at the top of the list for most institutions and not without reason. According to a recent Boston Consulting Group report, cyber-attacks are 300 times more likely to hit financial firms than any other company.

In an effort to help community bank and credit union CEOs prepare for cybersecurity threats in 2020, I recently shared a video from my “Banking Bits and Bytes Super Duper CEO Series,” covering the current threat landscape and what financial institution CEOs need to look out for over the next 12 months. Here are three key areas to focus on:

Business Email Compromise

Business email compromise isn’t a new cybersecurity threat to financial institutions, but we’ve recently seen increased incidents of these malicious emails in community banks and credit unions. We often see this happen when the CFO at a bank receives an email that appears to come from the CEO asking them to send a wire transfer on their behalf. These types of emails are able to easily slip through email filters because they don’t contain any malicious code. It is just a plain text message so it can easily be viewed as a non-threatening email to an employee. This is why user security awareness training is the most important counter measure to prevent employees from interacting with these messages.

Extortion Emails

New call-to-actionTop IT Areas Where CEOs Should Focus to Enhance Cybersecurity Posture  Get a Copy

We’ve also seen a rise in extortion emails claiming to have compromising information about a financial institution executive that will be released to the public unless a ransom is paid. In these emails, hackers may also claim to know username and password pairings and say they have hacked into a victim’s computer. Fortunately, these threats are rarely – if ever — true or accurate, but this has still raised concerns from many executives.

The best way to guard against this sort of attack is to use different passwords for different accounts and to change those passwords often. Multi-factor authentication is another very effective tool in protecting against extortion. Also, ensuring your institution has quality user security awareness training prevents someone from mistakenly responding to these emails.

Internet of Things (IoT)

Most people think of the IoT as devices like the Amazon Echo or the Google Nest Thermostat, but that’s not what we’re talking about here. While most Windows PCs in financial institutions have effective security measures in place to protect against threats, there are other items on the network like multi-function printers; network connected LaserJet printers; the digital signage in front of the institution; or the even the DVR system or security camera from third-party providers, that can present an opportunity for criminals.

These devices are often on the network and as a result, can “see” the other devices connected to the network. They are often communicating with devices outside of the institution and unfortunately, you don’t have the ability to control the software that runs these devices; manage the patch level; or dictate who the device can talk to or how it does so. Financial institutions can compensate for this lack of control through careful network topology design; careful perimeter security rules; and installing detective technologies on the network to know when these IoT devices are up to no good.

As cybersecurity threats become more complex, so too must the measures that CEOs employ within their institutions to counter these threats. To learn more about security threats and how to protect your institution, watch the full “Banking Bits and Bytes Super Duper CEO Series” below.

 


 

26 Sep 2019
2019 Threat Outlook

2019 Threat Outlook – Business Email Compromise Continues to Threaten Banks and Credit Unions

2019 Threat Outlook

Today, cybersecurity threats are ubiquitous. Cyber attackers are infiltrating email systems, computer networks and anywhere else they can find weaknesses to exploit. They’re using a variety of schemes to steal data, money and other assets—and tarnish corporate reputations.

Financial institutions are prime targets for cyber criminals, which is why cybersecurity must be a top priority. In 2018 alone, more than 500 security incidents affected financial and insurance organizations—with almost 25 percent having confirmed data disclosure, according to the Verizon Data Breach Investigations Report.

In addition, the costs to remedy the damage from cybercrime is higher than ever, and still growing. Now, the average cost of cybercrime for an organization is $13.0 million, up from $1.4 million in 2017, according to Accenture’s 2019 Cost of Cybercrime Study.

The Rise of Business Email Compromise

New call-to-actionTop IT Areas Where CEOs Should Focus to Enhance Cybersecurity Posture  Get a Copy

Not only are cyber threats rampant, but they’re becoming more devious and complex. For example, business email compromise (BEC) is one of the top threat vectors for 2019. BEC is a sophisticated type of phishing scam that’s perpetrated through five main scenarios, according to the FBI’s Internet Crime Complaint Center (IC3). Often, BEC scammers pretend to be a foreign supplier and attempt to trick employees into wiring funds for outstanding invoices into their bank account. In another common BEC scam, attackers impersonate a high-level executive, such as a CIO, CEO, or CFO, to try to deceive employees into wiring money.

However, BEC doesn’t always entail requesting wire transfers. More recently, BEC has involved data theft—the receipt of fraudulent emails asking for either wage or tax statement forms or a company list of personally identifiable information (PII). Regardless of the scenario, the business executive’s email is compromised, either by hacking (normally through a personal email account) or spoofing (altering the sender’s information to mimic a legitimate email request).

Like other cybercrimes, BEC continues to evolve and is rapidly expanding. The scam has been reported by victims in all 50 states and in 100 countries, according to IC3. Many BEC complaints have involved businesses and associated personnel using open source email accounts; the phrases “code to admin expenses” or “urgent wire transfer;” requested dollar amounts that are similar to normal business transaction amounts; and IP addresses that frequently trace back to free domain registrars.

Strengthen Cybersecurity Processes

Financial institutions and other organizations can protect themselves from BEC by implementing robust internal prevention techniques at all levels, particularly with front-line employees who are more likely to receive initial phishing emails. Some institutions are reducing BEC-related fraud by simply holding customer requests for international wire transfers for an additional time period to verify the legitimacy of the request. Other IC3-recommended strategies for strengthening bank cybersecurity against BEC include:

  • Avoid free web-based e-mail accounts;
  • Be careful about what is posted to social media and company websites (especially job duties/descriptions, hierarchal information, and out of office details);
  • Be suspicious of requests for secrecy or pressure to take action quickly;
  • Consider using additional IT and bank cybersecurity procedures, including a two-step verification process;
  • Beware of sudden changes in business practices, such as being asked to contact a business associate through a personal email instead of company email address; and
  • Provide security awareness training to all employees.

Regardless of the threat outlook for BEC and other cyber-attacks, financial institutions must have effective tactics for safeguarding their customer information, infrastructure and operations. This necessitates meeting regulatory and industry compliance standards for collecting, protecting and using private financial data.

To gain more insight into this area, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

 
 
18 Jul 2019
Security Layers – 4 Key Areas All Bank and Credit Union CEOs Should Consider

Security Layers – 4 Key Areas All Bank and Credit Union CEOs Should Consider

Security Layers – 4 Key Areas All Bank and Credit Union CEOs Should Consider

In today’s world of escalating cyber-attacks, the importance of security layers can never be overemphasized. This is especially true for financial institutions, which are obligated to safeguard customer information, prevent identity theft, and protect their operations. No entity, computer network, or individual is unaffected by cyber threats, but a layered approach to security can significantly minimize cybercrimes.

While the IT department and security officers typically determine and recommend security measures, it is ultimately the CEO who is responsible for the overall health and well-being of the bank or credit union. Therefore, CEOs of financial institutions should be thinking about and asking the following questions in this area:

  1. Is there a security layer that most networks are missing?
  2. Monitoring the internal network, outside of the endpoints, is important and an area that many banks and credit unions don’t focus on. While most organizations have perimeter defense technologies, such as firewalls and intrusion prevention systems and endpoint technologies like anti-malware software, many don’t pay close enough attention to the internal network itself. Having stronger internal network security is vital to prevent breaches and internal attacks and makes for a stronger overall network.

  3. What is the single most effective layer?
  4. User training is hands down the most effective layer. Users are considered to be the first line of defense, and sadly are often seen as the weakest link in the security chain. To strengthen this link and prevent attacks, user education and training is important.

  5. What are some security layers all banks and credit unions should have?
  6. Security layers represent multiple levels of defense against potential bad actors and cyber-attacks. As such, a layered security program should involve a variety of components, depending on the assets protected, vulnerabilities, and the institution’s operations. A layered security program entails using different controls at different points in a transaction process. The underlying strategy is that a weakness in one control is generally compensated for by the strength of another control.

    According to the Federal Financial Institutions Examination Council (FFIEC), some effective controls that can support layered security are:

    • fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
    • using dual customer authorization through different access devices;
    • using out-of-band verification for transaction;
    • a thorough and up-to-date patch management system;
    • vulnerability scanning and penetration testing; and
    • end-point security and resilience controls.

  7. What are the three main types of controls?
  8. Security controls generally fall into three types: protective, detective, and reactive (or corrective). Protective controls are tactics a bank or credit union can implement to prepare for and prevent a cyberattack. They encompass things like dual controls, segregation of duties, system password policies, access control lists, training, and physical access controls. Detective controls indicate that a cyberattack is taking place. Even the audit process can be detective because it uncovers control weaknesses by looking for failures after they have happened. Reactive controls are implemented to respond to an attack in progress. Essentially, they’re intended to mitigate exposure after something happens.

New types of cyber-threats and incidents are constantly emerging, and CEOs need to be prepared to protect their institutions and the data they house. With the proper controls, layered security can be an effective way for financial institutions to defend network perimeters and endpoints against potential cyber threats. There are many other areas related to security layers that CEOs and senior management should be considering. To gain more insight into those areas, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

White Paper Download

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.
Free White Paper

20 Dec 2017
2017 12 5 Things to Consider Before Moving to the Cloud

5 Questions to Ask Before Moving to the Cloud

2017 12 5 Things to Consider Before Moving to the Cloud

The allure of having applications and systems hosted on a cloud network is appealing to community banks and credit unions as it allows them to eliminate servers, internal infrastructure, and applications that would typically have to be hosted inside the institution, as well as the associated support each one requires. As a result, many organizations are considering, or currently in the process of, moving to cloud-based systems.

While the cloud can certainly help streamline processes and increase bandwidth for bank staff, there are a number of details that community banks and credit unions should consider before making this transition, beginning with the cloud destinations or management types:

The Infrastructure Management Types

All hardware is located on-site at the financial institution.

All hardware is housed at a third-party data center. This solves the issue of location.

A cloud provider hosts the infrastructure components traditionally housed in an on premise data center, including servers, storage and networking hardware. It solves the issue of location + hardware storage.

A cloud computing model where a third-party provider delivers hardware and software tools to users over the internet. This model solves the issues of location + hardware + platform.

A software distribution model in which a third-party provider hosts applications and makes them available to customers over the Internet. Some examples include Gmail, Facebook and Office365. This model solves the issues of location + hardware + platform + software.

Cloud services offer many benefits for financial institutions, including system standardization, centralization of information, the simplification of IT management and the built-in ability to stay current with technology updates and vendor software releases. For cloud services to be implemented successfully, financial institutions must understand the different types of cloud environments that are available and which one best meets the strategic objectives of their institution. Each bank has a unique corporate strategy that will guide how it moves to the cloud, what type of cloud solution is best for its environment and what specific technology assets should be moved to the cloud.

Here are five questions you should ask before making the decision to move to the cloud:

  1. Which applications can we move to the cloud?
  2. Evaluating which applications can be moved to the cloud and which vendors offer cloud-based solutions is really the first step. This will help organizations understand issues and elements that will be solved or created by the move to the cloud. For example, even with cloud-based solutions, financial institutions will still need to manage user work stations, security issues, connections to applications, and switches and routers, to name a few.

    Free eBookEverything You Need to Know About the Cloud Get a Copy

  3. Does moving to the cloud fit with our corporate strategy?
  4. Some organizations consider moving to the cloud simply because they think it is the right thing to do; however, there is no set path that all financial institutions must follow. Each bank has a unique strategy that is driven by its market situation, such as the desire to expand service offerings, open new branches, merge with another institution or even be acquired. Your corporate strategy informs your institution’s IT strategy and will guide you in choosing the management type that best fits your overall goal.

  5. Is the connectivity at my bank strong enough to support cloud-based solutions?
  6. Delays in loading cloud-based applications can be frustrating as well as costly. The increased use of cloud-based computing will place added demands on Internet speed and connectivity, making a strong connection critical for the success and health of the financial institution. This is a very important consideration when determining whether to move to cloud-based services. Confirming your institution has the proper connectivity will certainly help streamline this transition.

  7. Are there additional security, risk and compliance issues to consider when moving to the cloud?
  8. Moving to a cloud-based application will mean giving up some controls to the cloud vendor. When selecting a cloud vendor, evaluate their practices and strategies for user identity and access management, data protection, incident response and SOC 2 Type II documentation. You should have a solid vendor management program in place to verify that your vendors are compliant and are following the service agreement.

  9. Will moving to the cloud save my institution money and cut down on IT costs?
  10. Many financial institutions find that the transition does not translate to a lower price tag, and in-fact can result in the bank actually spending more. However, with this expense comes the simplification of IT management and the built-in ability to stay up to date with software releases. Migrating to the cloud commonly requires an organization to move from a capital expenditure (CAPEX) to an operating expenditure (OPEX) financial model, in which large capital outlays for purchase of servers, computers and networking hardware, are replaced by monthly, quarterly, or annual fees that an institution pays to operate the application.

    An application hosted in the cloud does not require any major capital investments for the institution. While the monthly fee in the OPEX model may be higher than the hardware and software costs, it eliminates the responsibility and indirect expense of bank personnel having to maintain the IT infrastructure. Think of these pricing models in the same way as owning a car versus taking Uber. When you own a car, you are responsible for its general upkeep, paying for gas, cleaning the car, etc. When you take Uber you simply pay for the ride and the driver is responsible for the vehicle’s upkeep. While you may pay a little more for that Uber ride, you gain more free time to focus on activities you enjoy.

Working with a financial industry IT service provider, like Safe Systems, can help you with the decision-making process involved with moving to the cloud while ensuring the solution and applications are compliant and meet regulatory expectations. We work with each institution to create a plan, based on their goals and strategies, to determine what can and should be moved to the cloud. Ultimately, moving IT assets to the cloud enables your bank and IT executives to focus on the key capabilities that support your bank’s unique strategy.


White Paper Download

2017 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities in 2017
White Paper Download

23 Sep 2016

Banks Beware: Not all Clouds are Created Equal

Banks Beware: Not all Clouds are Created Equal

Many banks today are finding the cloud to be very appealing for their business objectives. Cloud services offer many benefits for banks, including reduced IT ownership costs, system standardization, centralization of information, the simplification of IT management and the built-in ability to stay up to date with technology updates and vendor software releases. In order for cloud services to be implemented successfully, financial institutions need to consider and understand the different types of cloud environments that are available.

Today, cloud computing can be implemented in three different ways: public clouds, private clouds and hybrid clouds. Each approach requires different levels of security and management based upon the applications involved and the nature of the data, government regulations and compliance issues at stake. Let’s take a closer look at the different options available for cloud services.

Public Cloud

A public cloud is a multi-tenant technology platform that any organization with a credit card, including banks, manufacturers and retailers, can sign up for and consume the needed technology resources. The purest definition of a public cloud, for example, would be a service like Amazon Web Services or Microsoft Azure. Community banks that select this option for cloud services can easily put any application they choose into the cloud. Many financial institutions choose this option because it is inexpensive to set up and to use the service. All hardware, maintenance and communication costs are covered by the provider, allowing banks to utilize a pay-per-usage model where the only costs incurred are based on the IT capacity that is used.

While public clouds are the lowest direct expense option for IT assets, they do pose some limitations. This model uses custom configuration, security, and SLA specificity that can be hard to implement, which poses challenges for financial institutions due to the regulations governing data security and compliance.

Private Cloud

Free eBookEverything You Need to Know About the Cloud Get a Copy

Private clouds deliver similar advantages to public clouds, but with additional layers of security and required regulations for financial institutions. Unlike public clouds, which deliver services to multiple organizations using a multi-tenant technology platform, private clouds have been modified by providers to offer unique features and controls designed for the specific needs of vertical markets such as financial institutions. The hardware, data storage, and networking are customized to ensure higher levels of security and eliminate compliance and data privacy issues.

The goal of a private cloud is to gain the benefits of cloud architecture without giving up the control financial institutions have in maintaining their own data center. However, there is a price for this. It is going to be more expensive and harder to implement a private cloud service than a public cloud approach for the average small-to-medium sized community bank.

Hybrid Cloud

In a hybrid cloud environment, banks can choose to have some legacy applications and supporting IT assets remain on premise and some applications move to a cloud provider, while supporting communication between the two technology platforms.

Using a hybrid approach enables banks to migrate select IT assets to the cloud while still maintaining the internal assets required to manage certain legacy applications that are not yet ready to move to the cloud. By allowing workloads to move between the on premise and cloud computing platforms, banks have access to greater flexibility and more data deployment options as needs and costs change.

The Ideal Environment for Banks

Each bank has a unique corporate strategy that will guide how they move to the cloud, what type of cloud solution is best for their environment and what specific technology assets should be moved to the cloud. While the idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be physically hosted inside your bank, as well as the associated work required to manage each one, there should be a process to determine the appropriate cloud solution for your institution.

Evaluating the various cloud options can be daunting for community banks. Working with a financial industry IT network service provider, such as Safe Systems, can help you with the decision process as well as the design and move to the cloud while ensuring the solution and applications are compliant and meet regulatory expectations. We work with each institution to create a plan, based on their goals and strategies, to determine what can and should be moved to the cloud. Ultimately, moving IT assets to the cloud enables your bank and IT executives to focus on the key capabilities that support your bank’s unique strategy and lets bankers go back to being bankers!

17 Aug 2016

4 Steps for Moving Your Community Bank’s Server Workloads to the Cloud

More and more organizations are moving line of business and ancillary systems to the cloud including community banks and credit unions. Moving applications to the cloud is a way for financial institutions to control spending, ensure compliance with regulations, and enable employees to focus on revenue generating activities. Cloud outsourcing may start with specific IT functions or processes such as disaster recovery, backup and network servers.

Today, core banking services are almost exclusively hosted from the cloud. The in-house servers, or the servers running ancillary systems, consist of lending applications, Microsoft applications, internal accounting applications, and voice response systems, among others. There is a lot of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution.
While the cloud has proven to be beneficial for banks by enabling the limited in-house personnel to focus on core strategic initiatives instead of worrying about IT infrastructure, there are steps all financial institutions must follow. Here are four things to consider before moving your bank’s critical data to the cloud.

Support Your Bank’s Corporate Strategy

Each bank has a unique corporate strategy that is driven by its market situation, such as the desire to expand services offered, open new branches, merge with another institution or even to be acquired. This strategy will guide how and what should be moved to the cloud.

Catalog the Application Opportunities

Before moving to the cloud, your IT team must understand the requirements of the applications that are being used. Evaluate the IT infrastructure that must exist to provide each application and determine how to minimize the amount of IT assets that are needed internally. Then, the applications that can be moved to the cloud can be identified.

Determine the Best Cloud Service for your Bank

The idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be hosted inside your bank, as well as the associated work to manage each one. This enables your IT team to work on higher value, strategically critical projects.

There are three options to do this:

  • Simply move your servers to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers, but moves these critical assets out of the bank building to a highly available datacenter.
  • Move to an Infrastructure as a Service (IaaS) model, which means that instead of physically moving servers that you own, you pay a service provider to lease out the server capacity you need. You access the servers remotely to install, run, and maintain your applications. This can be a challenging option. It can be rather expensive, and the financial institution and IT personnel are still required to manage the process and technical specifications. IT personnel must reinstall all applications in a new environment and change all networking at the same time, which is a cumbersome and time consuming process to manage.
  • Rather than setting up additional infrastructure, banks are turning to the Software as a Service (SaaS) model, which is a software licensing fee and delivery model in which software is licensed on a subscription basis and is centrally hosted by the application software provider. This often enables financial institutions to run their applications from a browser, is supported by the developer and has no additional infrastructure to maintain.

Develop a Phased Approach

Long term, banks should consider moving all of their applications to the cloud, and most of the applications are ready to do so today. The migration should be completed in multiple phases, enabling a smoother transition. However, the applications that are not technically ready should not be forced to move as this can cause unnecessary complications and technical issues. Today, financial systems and even Microsoft solutions are cloud-based.

While the benefits of cloud computing — improved efficiency, scalability, cost, reliability, improved access, consistent security and compliance and compensation??? for limited in-house resources — are clear, making the leap to these services can be challenging and a daunting task for some community banks. Working with an outsourced service provider, such as Safe Systems, can help with the process, design and installation while ensuring the systems are compliant and meet all regulator expectations. Our cloud services are built specifically for community banks. With focus on regulatory guidance and compliance, we do extensive and rigorous vendor management vetting of all cloud providers before we offer or recommend a provider or service. We have more than 20 years’ experience offering products and services exclusively to community banks and credit unions. Safe Systems helps financial institutions to significantly decrease costs, increase performance, and improve their FFIEC compliance posture. Working with Safe Systems lets bankers go back to being bankers!




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management