While several industries, including business and education, make up a big portion of yearly data breach counts, banks and credit unions aren’t left risk free. According to the Identity Theft Resource Center (ITRC), the banking/credit/financial sector totals 5.8% of 2017’s data breaches as of June 30, 2017. That’s up two percent from 2016’s first half, a bigger rise than every industry sector except business.
2017 is almost over, but there’s still time for hackers to score successful data breaches … and still time for banks and credit unions to prevent them. Here are five things you can implement right now to strengthen the security defenses of your bank or credit union.
1. Make multi-factor authentication mandatory for all accounts
Multi-factor authentication (MFA) is not new. In fact, as of last year, 93% of organizations have access to or use MFA for their employee or customer accounts. Despite this, many organizations, especially banks and credit unions, don’t require MFA for customer accounts. Some don’t even require password updates (though whether or not this helps make accounts secure is debatable).
In late 2016, a bank in Brazil suffered huge losses when their online banking information was rerouted by hackers to fake servers. They didn’t have MFA enabled. In an article on the breach, Payments Source writes that “a simple one-time password or push authentication would have alerted DNS administrators to [the DNS security breach] before the hackers were able to take control of all of the systems.”
JPMorgan Chase is another example of a financial institution that was attacked because they lacked MFA on one of their servers. “The attackers stole the login credentials of a JPMorgan employee and were able to access the server,” reports Secure Link. “[They] were eventually able to gain access to more than 90 servers at the bank.”
Passwords, by themselves, are no longer a valid method for protecting customer banking information. To combat potential data breaches, use multi-factor authentication for all accounts in your organization. Rather than making it an option (allowing accounts to opt-in or opt-out of MFA), implement it as a mandatory level of protection that’ll be infinitely harder to hack and compromise.
What layers of authentication should you use? Some banks choose a combination of passwords, pins, security questions, and SMS text messages. If you’re feeling more modern, this article from the Financial Industry Regulatory Authority suggests that many financial institutions are starting to implement biometric authentication as well, like fingerprints or voice recognition.
Once you have MFA in place, trigger it upon every login, not just when dealing with strange activity or large transactions. It may be seen as a nuisance at first, but what’s worse? A customer or employee that takes 20 seconds longer to access their account or a serious blow to your finances and reputation?
To learn more about how multi-factor authentication enhances data security, check out this video with Robin Tatam, Director of Security Technologies at HelpSystems.
2. Switch to EMV chip and PIN combinations for cards
In the last couple years, banks and credit unions have slowly transitioned from cards with magnetic stripes only to cards with stripes, EMV chips, and pins. The deadline to move to EMV technology was October 2015, but as of late 2016, many organizations had yet to transition. And for those who haven’t still, there could be a huge opening in their cybersecurity for hackers to steal customer info.
While EMV chips can’t stop data breaches and other attempts at card fraud, they can make the information stolen from the card less useful to hackers. According to leading credit card processor and POS solution provider Vantiv, “the magnetic stripe [on traditional cards] contains unchanging data that is used each time a purchase is made,” rendering the card risky at best—and “a prime [target] for hackers.” EMV chips, on the other hand, create unique data for each transaction that’s never stored in the card. So even if a hacker manages to steal data from a single transaction, it becomes immediately useless.
If you haven’t switched to EMV chip cards yet, do it soon. It won’t stop fraud in its tracks, but it’ll remove the “low-hanging fruit” in your organization and help limit what information hackers steal from your customers. Furthermore, the deadline for ATMs to have EMV readers is coming from Visa this October. Mastercard’s went into effect last year.
If you have switched to EMV chip technology, consider making the move to PIN verification over chip-and-signature verification. Many banks have resisted this change, stating an inconvenience to customers, but signatures are incredibly easy to duplicate. At the very least, PINs offer one final layer of security between someone with a stolen card and a customer’s hard-earned money.
Pay Junction, a merchant account provider, writes in favor of the chip and PIN method of security. “If you put short-term concerns aside for long-term security, EMV cards with chip and PIN verification are the better option. In the event of a lost or stolen card, PIN verification is more effective at combating fraud because PINs are securely stored in the chip technology.”
3. Use a Managed File Transfer Solution to Secure Your Data
PCI DSS requires banks and credit unions to “use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks.” This means that all data transferred using the internet, the cloud, or from one remote location to another must be encrypted with secure network protocols.
Data that isn’t properly encrypted, both in transit and at rest, is at risk of compromise. Just this year, a database containing 20,000 customers was breached at Scottrade Bank. The database had no encryption and exposed social security numbers, names, and other personal information—as well as employee credentials. Sadly, this all could’ve been prevented with basic cybersecurity tactics and minor planning.
Secure every file, folder, and database on public and private networks with strong encryption methods like AES and Open PGP (if the data’s at rest) and SFTP, FTPS, AS2, and HTTPS (if you’re sending or receiving data). PCI DSS may only ask for banks and credit unions to safeguard customer information in transit, but like Scottrade Bank discovered, data can be compromised internally too.
Implement a managed file transfer (MFT) solution in your organization. MFT will help guard your data against data breaches through robust security and encryption methods, all while streamlining the file transfer process to save you time and resources.
GoAnywhere MFT, our all-in-one file transfer solution, provides secure connections for the transmission of data, integration with existing critical applications, role-based security and user authentication, a Security Settings Audit Report for PCI DSS compliance, workflows that can be automated and scheduled, secure folders, mail, and forms to protect your assets, and more.
Interested in seeing how GoAnywhere MFT can meet your security needs and help you meet PCI DSS compliance requirements? Request a demo with one of our friendly product specialists.
4. Create and Implement a Security Awareness Program
Spear phishing remains one of the most frequently used ways to compromise a company’s sensitive information. This is a troubling fact; the financial stakes are far too high, with the global cost of a data breach averaging over $3 million, for a malicious email to cause such pain for customers and institutions alike. Even worse? The breaches created by spear phishing are entirely preventable.
It’s no secret: the biggest vulnerability for companies fighting spear phishing is human error. Dark Reading, an online community for security professionals, explains the conundrum in their briefing on a recent study from email phishing tool PhishMe: “[The report] found that 91% of cyberattacks start with a phish, [and] the top reasons people are duped by phishing emails are curiosity, fear, and urgency.”
Banks aren’t immune to these behaviors. The Bank of Canada, for example, has struggled to keep their employees from clicking suspicious emails or attachments despite warning them not to. Financial Post writes that “humans are the weak link in the central bank’s cybersecurity defences. In addition to employees tricked into opening malicious emails, there were users who downloaded malware while surfing the web or browsing through online shopping emails sent to their work addresses.”
Most people know not to click on suspicious links or attachments from “foreign princes” and institutions they’ve never shopped at, but just as we’ve gotten smarter, so have hackers. Most malware and scams are hidden behind emails from valid-looking senders, like the company’s CEO or accounting department (read more about this phishing strategy, and how to protect yourself against it, here).
So, what’s the best way to fight this type of spear phishing? Employee education and empowerment.
Make cybersecurity a main focus in your organization. Strategize and outline a good security awareness program then implement it, starting from each employee’s on-boarding process. Require frequent training sessions to keep the entire company up-to-date with the latest security vulnerabilities and policies, but make it fun. The more employees feel empowered and included in the success of the organization, the more personal following proper security measures will feel.
Earlier this year, we interviewed Kathryn Anderson of Backbone Consultants, who helped create a security awareness program at a Fortune 500 consumer food company. As she implemented an anti-phishing program, she noticed that “security became part of [employee] job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”
READ MORE: The Benefits of Empowered Employees: Why a Good Security Awareness Program Matters
The takeaway? Don’t let your team players be your downfall. Instead, make them valuable security warriors by teaching them your organization’s best security practices.
5. Identify Your Weaknesses with a Risk Assessment
You can’t know what security weaknesses you have if you can’t see them. With data breach statistics at an all-time high, it’s more imperative than ever for banks and credit unions to take a long, hard look at every part of their organization. Systems, user accounts, any devices used on the network, even third party vendors could be the culprits of gaps in your cybersecurity.
According to this article on cybersecurity and regulatory compliance, “cyberrisk is a broad-reaching, enterprise-level risk, and financial institutions are in a uniquely challenging position. In banking, the push for digital innovation, disruptive technologies, and delivery of more personalized customer experiences continuously introduces new threats.” Because of these constant changes and improvements, banks and credit unions often fall short on their risk assessments. They miss the small details in a whirlwind of progress and business goals.
To combat business vulnerabilities and bridge the gaps in your cybersecurity, aim for frequent risk assessments in your organization. Most banks and credit unions already need to do this annually in order to be PCI DSS compliant. However, it doesn’t hurt to conduct them more frequently, especially when introducing new third-party vendors, adding new locations or offices, or introducing new devices.
Figure out a way to streamline your assessments. Manual risk assessments can be done, although they’re typically time consuming and leave room for human error. You can also use software to automate your evaluations. A good solution will track and audit your activity logs, secure your files, provide good key management, and let you run reports that review and export important system information. An even better solution will do all that—and help you meet PCI DSS compliance requirements in a variety of ways.
If you’re using the IBM i in your financial organization, try this free security scan to see a snapshot of your current system state, identify your weaknesses, and receive suggestions on steps you can take to protect your data.
What are your thoughts? Did we miss something crucial? Share your tips and join the conversation in the comments below.