Data within a financial institution has three primary states: data at rest, data on the move and data in use.
Data at rest is data that is not being used or accessed. Data in use is information that is being processed, updated, accessed, or read by a system.
But the point at which the risk of a breach is highest for a financial institution is when data is on the move. This term refers to data in transit between locations, whether between computer systems or between the cloud and a computer.
Banks and credit unions manage a lot of data, and the systems used to protect that data are becoming more sophisticated and complex. But data on the move continues to be a challenge for many.
Here’s what banking leaders should know about mitigating the potential risk.
What Are the Biggest Threats to Data Security?
To protect their data, financial institutions must monitor for potential weaknesses that could be exploited and brace for many different types of incursions. Some of these include:
Data Breaches: This refers to the theft of sensitive or confidential data. The data that’s usually stolen includes personally identifiable information, like social security numbers, credit card numbers, taxpayer identification numbers, and bank account numbers. Data breaches damage a company’s reputation and can lead to financial losses for its customers.
Unauthorized Third-Party Access: This type of attack involves unauthorized access to the devices, applications, data, networks, or endpoints at a bank or credit union. Broken or misconfigured access control is the leading cause of this problem.
Lack of Control over Cloud-Based Applications: Companies typically have many software-as-a-service applications, which tend to be cloud-based. A vulnerability in any one of these can become an entry point for a hacker.
Human Error: Technical safety valves often fail to protect data on the move due to human error. These mistakes happen because employees sometimes lack cybersecurity knowledge or the required skills to notice a potential threat.
Technology Challenges: Technology is constantly evolving, and cybercriminals’ methods are too. Banks and credit unions that fail to update software and hardware forgo security enhancements and open their organizations to serious risk.
Lack of Data Processes: A proper data management strategy prevents bottlenecks, silos, redundancies, and improper system integration. Without that strategy, banks and credit unions risk data exposure, data manipulation and potential violations of data regulation, which can all lead to financial losses, as well as trust and reputational damage.
Compliance Challenges: The more access that employees have to data and the more locations they access it from, the greater the risk of compliance failures. When compliance requirements aren’t updated or employee training is insufficient, compliance lapses are almost inevitable.
Tools to Facilitate a Data-on-the-Move Strategy
Given all the risks involved, it makes sense to implement a plan to safeguard data at every point — with particular attention to data on the move. Addressing security weaknesses is easier and cheaper than recovering from a breach.
Here are four technology tools to facilitate a strategy that’s robust and resilient.
1. Enterprise Mobility Management (EMM)
One solution for securing mobile devices, whether they are bank-owned or not, is enterprise mobility management, or EMM. This is a set of tools and processes that prevents unauthorized access to corporate data and enterprise applications while still allowing employees to be more mobile.
When selecting an EMM solution, look for one that supports a wide range of mobile devices and operating systems. It should be able to manage smartphones, tablets and other mobile devices, and it should offer a platform with a single view of all the endpoint devices. It should also include a combination of mobile device management, mobile application management and mobile identity management.
2. Cloud Access Security Broker (CASB)
Banks and credit unions are increasingly embracing managed and unmanaged cloud-based applications. This sometimes puts data outside a firewall.
Devices are also moving outside corporate control. For example, some companies allow employees to use their own devices for work — which is called “bring your own device,” or BYOD. Such devices connecting on a public network to a bank or credit union’s Office 365 creates a security concern that a system firewall cannot solve.
Besides that, firewalls are only as secure as the operating system they are installed on. Many personal computer operating systems are flawed, and financial institutions really need to check the operating systems on employees’ devices before installing a firewall.
A cloud access security broker, or CASB, is a security policy enforcement point that can help. CASBs operate when a cloud service consumer uses a resource, such as a CRM tool or accounting program, from a cloud service provider.
In such cases, CASBs interject a variety of enterprise security policies, such as authentication, authorization, and malware detection, among many others, into the process. Working through proxies and APIs — proxies combine with the data on the move, while the APIs scan and secure the data in the backend — CASBs make sure all the data moving back and forth is safe.
When investing in a CASB, leaders should ensure, at bare minimum, that it helps their bank or credit union do the following:
- Gain visibility into cloud usage and data activities, so you can see sanctioned and unsanctioned apps and curb shadow IT.
- Implement zero-trust policies across all users, apps, and devices — inside or outside your network — that authenticate, authorize, and validate users before they get access to applications and data.
- Implement and centralize access controls. These limit access to highly confidential data such as passwords or PINs. Multi-factor authentication is one such access control that’s becoming increasingly common.
- Identify and protect sensitive data with data-loss prevention technology, or DLP. DLPs prevent people from sharing data they shouldn’t. Because data usage rules change quickly, employees may not know that emailing certain data outside their financial institution or uploading a file to a consumer cloud storage service like Dropbox, can put the organization at risk. DLPs stop this before it happens.
- Protect malware from entering your apps.
- Create cloud security posture management policies. This is a fairly new type of security product that examines and compares a cloud environment against best practices and known security risks. In that way, these policies automate security and compliance in the cloud.
- Mitigate the risk of an unauthorized user downloading or sharing data governed by compliance.
- Call Center Staff Can’t Help Customers If They Can’t Find Key Data
- The Rising Cybersecurity Risks That Will Plague Banking in 2023
3. Enterprise File Sync and Sharing (EFSS)
In any financial organization, large files and documents are constantly being shared. It should be done using a secure file transfer protocol, or FTP. But are all employees using FTP to securely share and transfer files between themselves, customers and partners?
Or are they just using a combination of insecure methods, including email, flash drives, and commodity shares like Google Drive, Microsoft OneDrive, or Dropbox? If so, having a secure file management system can be challenging.
To curb this problem, an enterprise file sync and sharing system, or EFSS, will come in handy. An EFSS combines the convenience and simplicity of personal file-sharing services with enterprise-oriented file-sharing features, enhancing the IT department’s security and control.
EFSS services include:
- On-premises, hybrid, or cloud storage options.
- Secure authentication protocols and authorization policies.
- Granular access controls defining who can have access to which part of the system and what they can do.
- Remote wiping, device lock, passcode protection, and data expiration policies.
- Real-time tracking of user activity as well as auditing.
- Seamless integration with enterprise directory services, which simplifies authentication and user provisioning.
- Uploading and downloading restrictions and file expiration dates.
When searching for an EFFS, make sure it offers FTP-based file transfer services and cloud transfer via HTTPS. It should also integrate with different applications and have a detailed library of application programming interfaces that can be used to develop custom applications.
- Truist and IBM Explore What Quantum Computing Can Do for Banking
- There’s a New Way to Fight the Fraud Butterfly Effect
4. Data Access Control
As data is accessed by more users — including sensitive data such as financial and personal identification information — there are specific privacy, security, governance, and compliance requirements that need to be met.
This becomes resource-intensive: More requirements are put in place, and data is stored in a distributed way across databases, data warehouses and data lakes.
A data access control service helps manage this by allowing an institution to:
- Discover and protect sensitive data on an ongoing basis.
- Apply role-based access control (RBAC) and attribute-based access control (ABAC) across all data stores.
- Enforce a need-to-know data access strategy.
- Enable just-in-time and temporary data access to significantly reduce the risks of data exposure.
- Maintain a centralized detailed access log repository.
Staying Competitive and Compliant with Strong Data Management
The challenge banks and credit unions face in facilitating access to data for their employees — while keeping out bad actors — cannot be overstated. They have to be on constant alert for potential weaknesses, and anytime data is in the transition phase from data at rest to data in use is a known trouble spot.
Taking the time to design and implement a plan to protect data on the move — and selecting the right tools to do the job — will help institutions stay competitive and compliant.
About the author:
Ben Herzberg is the chief scientist and vice president of marketing at Satori, a data security firm specializing in the financial services, healthcare and technology industries.