 |
 |
Data Breach Survival Guide - Top Tips
Thanks to Bank Technology News for this thoughtful content. When it comes to battling data breaches, banks (and other organizations) would be well served by thinking small. That doesn't mean the problem is shrinking - quite the contrary. Recent research from Verizon and the U.S. Secret Service says the number of enterprise data breaches is at its higher point ever - more than 760 breaches were recorded by the Secret Service in the past year. What is changing is the focus of cybercrooks, who are changing tactics from the sweeping Heartland-style breach of years past, choosing instead to focus on smaller, more tactical attacks that are harder to spot and counter. The study conducted by Verizon and the Secret Service said that only 3% of the breaches they looked at could have been avoided without difficult or costly corrective action. One of most recent bank victims is Citigroup, which in August reported a pair of data breaches. One exposed more than 92,000 customers in its Japanese card unit, when a person affiliated with an outsourcer illegally obtained inside information for a third party. But there was a bright spot to this unwelcome episode. Citigroup said that personal identification numbers were protected, so unauthorized use of the personal data to commit card fraud was unlikely. A second incident followed later in the month in which Citigroup was tied to a breach at a retail chain, an incident in which Bank of America was also victimized. Each Breach a New Black Eye Citigroup is just one of a number of major financial institutions and firms outside of financial services to suffer data breaches in the past year, with targets ranging from other large banks such as Capital One, to retailers such as Michaels Stores, and government institutions as large as the U.S. Senate. Each breach is a new black eye, giving assailants access to internal systems where they can attach malware, find additional weaknesses to exploit, obtain information for whistle-blowing campaigns, or launch phishing attacks that dupe consumers and staff to turn over even more sensitive information. And leaks are particularly vexing since they're very easy to cause - a simple emailed attachment to an employee's home PC or mobile device, and a subsequent return email, can mistakenly compromise the PC, the attachment and the bank itself. But there are things banks can and should do to make a major dent in the problem. "If you're running a data center, you're running a business, and protecting that business is a fundamental task," says Michael Versace, global risk director of IDC Financial Insights. Top Strategic Moves for Banks and Other Businesses BTN polled a range of bankers, technology providers and analysts who revealed 10 of the biggest strategic moves a bank can make to protect itself. In most cases - such as dual authentication, access controls and document tracking - the technology requires an investment but is already widely available. And in other cases, the moves are cultural in nature and pose minimal cost for a financial institution. The following are some top suggestions from experts representing financial institutions, technology providers and the analyst community. For details around each tip, please download the PDF by clicking the PDF button at top right.
SECNAP NOTE: We’d like to add a word about the importance of actively monitoring your network intrusion detection and prevention system on a 24/7/365 basis to investigate highly suspicious activity. Active monitoring is the cornerstone to a truly effective IDPS and has been called the ‘missing link’ in effective network security. |