Since the introduction of the personal computer one truth has remained constant – technology is always changing. In fact, technological developments have begun to significantly outgrow many businesses abilities to effectively incorporate and utilize them efficiently and effectively.
Greg Layok, managing director of the Technology practice at West Monroe, a research and consulting firm, notes that simply investing in technology does not automatically lead to success. “You have to create a culture of experimentation where failing fast is encouraged and the business and technology work as one team.”
For financial institutions (FI) the risks of playing too fast and loose with the latest tech could place something more precious at risk than mere profits – their account holders’ identities. It is for this very reason that a majority of FIs (82%) store less than half of their data in a cloud, selecting instead to invest heavily in their own infrastructures. But concern for security does not have to hamstring innovation. With the right training, tools, and partners in place for managing potential vulnerabilities, new technologies need merely follow the appropriate guidelines to ensure they fall within the security landscape.
Keeping Up with Security
"Prevention, not reaction" is a standard maxim for security experts across industries. However, even preventative measures need consistent revision and updating. Fortunately, there are key areas of focus which can help FIs manage their complete security landscape.
Employees are any business’s greatest asset…or greatest weakness. Properly motivating employees to follow security protocols and manage risks to data is an ongoing battle. Contrary to popular perceptions and literature, rewards programs are not effective when it comes to combatting apathy and inspiring security awareness. A 2007 study from the Association of Information Systems (AIS), The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines, found motivation to implement and follow security measures hinges on both the employee’s computer efficacy as well as the regular emphasis created by management personnel.
Employees should be provided regular training on security protocols but also encouraged by their supervisors about the importance and reasoning behind security measures. Training should also include the appropriate use of systems, programs, and equipment utilized within the FI in order to consistently increase computer efficacy. As noted in AIS study, individuals who feel more confident in utilizing technology to complete their work are more likely to take precautions with technology.
Data security has spawned an entire industry. But not all tools will work for every business. “The truth is,” says Christoph Schell, president, Americas, HP Inc., “if you have 500 employees, it is easier to have one secure cloud structure than it is to secure 500 laptops.” Fortunately, a “cloud” does not have to be a third-party hosted server. Investment in FI local servers can help keep a secure, centrally located setup that reduces the risks of individual equipment being overlooked.
In addition to a secure central component, it is important to select hardware and software that is designed to help combat ongoing threat developments. Windows 10, for instance, is one of the first operating systems that incorporates a built in firewall and security scan system. Combining a similar front-end security program with a backend-firewall and/or suite of software to target phishing attacks, ransomware, and other common vulnerabilities can significantly bolster internal data protections.
But financial institution hardware is not limited to computers. ATMs are also a potential vulnerable point of attack. “We’re seeing a rise in well-funded hacker rings and digital thieves creating more complex and subtle ways to break into bank networks or directly into ATMs,” said Bernd Redecker, director of Corporate Security and Fraud Management for Diebold Nixdorf. “To counter this evolution, financial institutions need to adopt a multi-layered approach to protect their network.”
While many IT departments may be tempted to treat the ATM channel as additional computer components, these machines are often unattended and running at all hours of the day and night. Their general functionality as well as their regular exposure to a multitude of users makes them wholly unique. As such, ATMs require a more in-depth security program requiring a combination of tactics including intensive program white-listing/black-listing and connectivity limitations.
“A holistic approach provides back-up protection in case of an attack,” said Redecker, “and it ensures the network is protected no matter what form the attack takes, whether it’s physical, logical, or a fraud attack.”
When it comes to ensuring security, the right partner can make all the difference. Whether it is to provide additional security technology, test for vulnerabilities, or streamline security for operations, financial institutions have a variety of options available to best fit their needs. In fact, experts recommend outsourcing 24/7 needs that are not “mission critical” in order to deliver better uptimes, security and monitoring.
However, just like with any vendor selection, it is important to thoroughly vet any potential partner. In addition to standard federal oversight regulations, FIs should make sure to check references and reputation and hold open conversations regarding any partner’s security plans, implementation, and best practices.
While security is a major and ongoing concern for FIs, it does not have to hinder technological innovation. Implementation of appropriate training, tools, and partnerships can not only increase overall security levels, it can help future-proof for new and improved software, hardware, and consumer preferences.