Financial institutions have always been a prime target for bad actors. As a result, they have continued to maintain formidable barriers against external cyber security threats. However, regardless of their best efforts, the industry remains vulnerable to data breaches.
For example, two major Canadian banks were recently held to ransom to the tune of $1 million. In this particular security event, hackers were able to gain access to sensitive personal records of approximately 90,000 customers.
However, the stolen data wasn’t sold on the dark web. Instead, it was used to extort money from both BMO and CIBC-owned Simplii.
These types of attacks reaffirm the fact that protecting yourself against a data breach will be an ongoing activity, not a one-size-fits-all solution.
So how can banks and other financial institutions stay a step ahead of bad actors? Let’s take a look.
1. Conduct Regular Security Audits
Financial institutions have to conduct security audits to maintain compliance and protect themselves from a data breach. However, banks should take it to the next level and regularly engage in this activity.
When you perform a security audit, you should do the following:
- Identify and analyze current and future risks
- Understand how customer data is stored and accessed
- Develop, implement, and (regularly) update a risk management plan to mitigate these risks
- Conduct (white hat) testing and make adjustments as needed
By conducting security audits, banks can review and update their information security policies and best practices to improve their internal security program and mitigate risk.
2. Review the Architecture, Database, and Codebase
How often does your financial institution perform an in-depth review of the application’s architecture, database, and the code base?
It’s an important question that every organization should ask themselves frequently. It’s crucial because customer needs change all the time and as banks rush to meet these needs, they can quickly open themselves up for a data breach.
So if you’ve been adding new features and functionalities and haven’t conducted an in-depth review, there’s no time like the present!
Architecture Review
A detailed review of the architecture will demand interactions with the product and technical teams. To develop a clear picture of where you stand at present and where you’re headed, the security team will have to hold detailed discussions with all stakeholders.
When you engage in discussions about the architecture, you will gain profound insights into the following:
- Current security issues
- Availability problems with the existing architecture
- Performance related challenges
- Scalability and potential security issues
- Longterm performance and security solutions
Database Review
These discussions have to continue with database administrators and specialists to get a better idea of the current application environment.
Detailed discussions about databases should include the following:
- Analysis of current performance levels (and how it will be reviewed?)
- Authorization and authentications
- Critical attributes of data types
- Current data backup and retrieval mechanisms
- Current table structures
- Existing Schema
- Performance metrics
- Queries used
- Security parameters implemented in the database
- Types of users
- Usage scenarios
This approach will help fill in the gaps and optimize the existing database infrastructure. It’s also a great way to address performance issues while enhancing the overall security of internal databases.
Code Review
Conducting an in-depth code review also starts with talking to all stakeholders to understand the application in detail. When you’re ready to dive in and take a look at the code, make sure that it’s done across all modules to understand how the code functions across different levels.
At this juncture, you can also explore various scenarios to see if the code’s behavior can potentially leave the financial institution vulnerable to a breach.
When you perform a detailed code review, make sure that you do the following:
- Determine how you can improve the quality of the codebase
- Understand how you can improve security
- Optimize data flow management
- Engage in extensive (white hat) testing
At the end of an exhaustive review, the bank will be in a better protected from external threats.
3. Engage in Employee Training
While hacking tools and techniques have become more sophisticated, simple old school social engineering phishing techniques still rake in the profits. This means that banks should focus on their weakest link - the human element, to better secure their IT infrastructure.
Employee training workshops should include activities that boost awareness of the following:
- Corporate policies
- Downloading and executing unknown applications
- Protocols to report suspicious emails and attachments
- Relevant regulations
At the same time, you should also make staff aware that phishing messages can be sent to their personal email addresses to bypass the internal network perimeter.
This method has been highly successful for the following criminal entities:
- Carbanak
- Cobalt
- GCMAN
- Lazarus
- Metel
When you conduct training sessions on a regular basis, employees will be more aware of the latest attacks and scams. They will also be better equipped to identify a potential social engineering attack. However, if you don’t do this on a regular basis, you risk making security an afterthought.
4. Develop a Customized Risk Management Plan (That Works for You)
Every bank is different, and the technology they use will be different. This makes it important to develop a customized risk management plan that works for your financial institution.
Your bank’s risk management plan should be able to adapt based on the following:
- Evolving banking regulations
- Customer expectations
- Changing technology and advanced analytics (big data, artificial intelligence, and machine learning)
- New risks and emerging threats
When you have a robust risk management plan in place, you will be able to respond effectively to an attack in progress.
As cybercrime proliferates, there will be a strong temptation to hide these incidents from the public. However, this approach will be counterproductive and hinder your efforts to learn more about the latest data breach techniques.
As a result, it’s critical for banks to share information and work together to spread awareness throughout the industry.