If your home has ever been burglarized, you know the unnerving feeling of being violated and how the experience can haunt you for a long time.
Obviously, locks and bolts are only as strong as the door and the frame they’re fitted to. This is also true of the security posture of financial institutions. Outdated software applications, misconfigured devices, and ineffective security policies are much like the weak or rotten woodwork framing the door of your home.
In the same way that you would check your home’s door frames and replace any rotten wood, you should check your institution’s operating systems, network devices and configurations for weaknesses and vulnerabilities. In the absolute sense, it’s the rare security product that will stop any type of breach. After all, bank security is about risk mitigation, not absolute safety from bad things happening.
So, what are the odds of a security breach at your institution? Today, the United States banking industry has about 9,100 commercial banks along with approximately 1,800 thrifts worth about $520 billion. If we consider bank robberies alone, close to 6,000 banks were robbed in 2008. That translates to 60-66% – or six out of every 10 banks. Twelve percent of the loot, representing nearly $6.5B, was never recovered. That’s an example of physical bank security; but what about data security?
The Identity Theft Resource Center’s 2008 breach report reached 656 reported data breaches at the end of 2008, reflecting an increase of 47% over 2007. Reports of data breaches are expected to increase in 2009. As of early March 2009, there were already more than 100 reported cases.
While there still are major problem areas, there is good news. Tools that mitigate the risk have become more sophisticated and more affordable.
Securing your financial institution from unauthorized access is paramount. Don’t expect to put a check mark next to data security and say “done”. This is an ongoing process, and will require management and monitoring as part of your compliance initiatives. The best method for maintaining the security of your information systems is to perform external and internal vulnerability risk assessments, and find your weaknesses with testing.
These assessments identify vulnerabilities that allow outside, untrusted networks to gain access to internal, trusted networks & systems. They also identify the steps you must take to thwart intentional attacks or unintentional mistakes from trusted internal users & systems.
With a detailed evaluation of the current state of your network security, you can get a clear picture of your security strengths and vulnerabilities, and develop a detailed plan for more effectively protecting your institution.
It’s not such a bad idea to do the same for your home. But that’s a topic for another blog.