by Rebecca Hellman, Director of Marketing, FCTI Inc.
Since the introduction of the personal computer, one truth has remained constant — technology is always changing. In fact, technological developments have begun to significantly outgrow many businesses abilities to effectively incorporate and utilize them efficiently and effectively.
Greg Layok, managing director of the technology practice at West Monroe, a research and consulting firm, said that simply investing in technology does not automatically lead to success. “You have to create a culture of experimentation where failing fast is encouraged and the business and technology work as one team.”
For financial institutions, the risks of playing fast and loose with the latest tech could place something more precious at risk than mere profits — account holder identities. It is for this very reason that a majority of FIs (82 percent) store less than half of their data in a cloud, selecting instead to invest heavily in their own infrastructures.
But concern for security does not have to hamstring innovation. With the right training, tools and partners in place for managing potential vulnerabilities, new technologies need merely follow the appropriate guidelines to ensure they fall within the security landscape.
Keeping up with security
“Prevention, not reaction” is a standard maxim for security experts across industries. However, even preventative measures need consistent revision and updating. Fortunately, there are key areas of focus that can help FIs manage their complete security landscape.
Employees are any business’s greatest asset … or its greatest weakness. Properly motivating employees to follow security protocols and manage risks to data is an ongoing battle. Contrary to popular perceptions and literature, rewards programs are not effective when it comes to combating apathy and inspiring security awareness. A 2007 study from the Association of Information Systems, The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines, found motivation to implement and follow security measures hinges on both the employee’s computer efficacy as well as the regular emphasis created by management personnel.
Employees should be provided with regular training on security protocols, and with coaching by their supervisors on the importance and reasoning behind security measures.
Training should also include the appropriate operation of systems, programs and equipment used within the FI in order to consistently increase computer efficacy. As noted in the AIS study, individuals who feel more confident in utilizing technology to complete their work are more likely to take precautions with it.
Data security has spawned an entire industry. But not all tools will work for every business. Said Christoph Schell, president for the Americas at HP Inc.: “The truth is, if you have 500 employees, it is easier to have one secure cloud structure than it is to secure 500 laptops.”
Fortunately, a “cloud” does not have to be a third-party hosted server. Investment in FI local servers can help keep a secure, centrally located setup that reduces the risks of individual equipment being overlooked.
In addition to a secure central component, it is important to select hardware and software that is designed to help combat ongoing threat developments. Windows 10, for instance, is one of the first operating systems that incorporates a built-in firewall and security scan system. Combining a similar front-end security program with a backend firewall or suite of software (or both) to target phishing attacks, ransomware, and other common vulnerabilities can significantly bolster internal data protections.
But financial institution hardware is not limited to computers. ATMs are also a potential vulnerable point of attack.
“We’re seeing a rise in well-funded hacker rings and digital thieves creating more complex and subtle ways to break into bank networks or directly into ATMs,” said Bernd Redecker, Diebold Nixdorf director of corporate security and fraud management. “To counter this evolution, financial institutions need to adopt a multi-layered approach to protect their network.”
Some IT departments might be tempted to treat the ATM channel as additional computer components, but these machines are often unattended and running at all hours of the day and night. Their general functionality as well as their regular exposure to a multitude of users makes them wholly unique. As such, ATMs require a more in-depth security program requiring a combination of tactics including intensive program whitelisting and blacklisting, and connectivity limitations.
“A holistic approach provides back-up protection in case of an attack,” said Redecker, “and it ensures the network is protected no matter what form the attack takes, whether it’s physical, logical, or a fraud attack.”
When it comes to ensuring security, the right partner can make all the difference. Whether it is to provide additional security technology, test for vulnerabilities, or streamline security for operations, financial institutions have a variety of options available to best fit their needs. In fact, experts recommend outsourcing 24/7 needs that are not “mission critical” in order to deliver better uptimes, security and monitoring.
However, just like with any vendor selection, it is important to thoroughly vet any potential partner. In addition to standard federal oversight regulations, FIs should make sure to check references and reputation and hold open conversations regarding any partner’s security plans, implementation, and best practices.
While security is a major and ongoing concern for FIs, it does not have to hinder technological innovation. Implementation of appropriate training, tools, and partnerships has the capacity not only to increase overall security levels, but also to help future-proof for new and improved software, hardware, and consumer preferences.