Rafe Pilling, Principle Consultant, Dell SecureWorks, discusses compliance and security in the finance industry
In the face of ever increasing security threats, banks and credit unions need to be vigilant in order to ensure data stays safe. They have a responsibility to demonstrate sufficient security so customers and members are confident their funds are protected. Public trust in financial institutions is low in the wake of the fiscal crisis, and it would be wise for banks to do all they can to demonstrate a thorough approach to compliance and security.
Banks and credit unions must deal with threats from hackers and other security issues on a daily basis and all financial institutions must now adhere to compliance rules and regulations that govern how they handle security. However, compliant doesn’t necessarily mean secure. If banks and credit unions simply take a ‘tick in the box’ approach to compliance, they willonly be covering the basics and risking overall security in the process. There are steps they can take in order to protect themselves, create a culture of best practice in relation to security, and achieve compliance with ease.
Approaching the complexity of compliance
While compliance is of the utmost importance, businesses shouldn’t view it as a series of steps in order to pass an audit. Compliance audits should be viewed as a tool to help banks improve, not the flagship of security. Companies who are successful are the ones who embrace it and view it as part of an overall security improvement process.
Being both compliant and secure is an on-going, day-to-day process and most businesses fall down at the same point: coping with the blizzard of data. Banks and credit unions need to know where all their data is, who has access to it, and who’s making changes to it at all times. Doing this will help to address security challenges and simplify the complexity of compliance.
Becoming compliant doesn’t always mean implementing a host of new technology – it’s very important to improve processes not only by undertaking vulnerability assessments of your infrastructure but also by testing your employees too. Creating awareness among team members about how they can avoid inadvertently exposing their company to risks is key. Many aspects of compliance are commonplace security procedures, and as such should already be followed by financial institutions and their employees. It should be a process of constantly trying to improve and creating better processes all the time.
Compliance in finance
Banks and credit unions are facing an ever increasing volume of checks and compliance procedures. There’s a danger that the amount of time spent preparing for audits and compliance checks outstrips the time spent on defining and implementing appropriate security strategies. This shouldn’t be the case for the security of any financial institution. Good security will pass compliance checks if it’s a robust policy.
It’s important to monitor security on a regular basis, as opposed to trying to cover all security bases in one check right before a compliance audit. For larger banks facing continuous threats, this will need to be multiple times a day, but a lower frequency for smaller credit unions should suffice.
Every bank and credit union should tailor security processes to their specific circumstances, market sector and customers. For example, the Payment Card Industry Data Security Standard (PCI DSS) guidelines have been put in place for any merchant who holds or handles card data.
The PCI DSS guidelines have been in place for seven years however compliance levels are still patchy across Europe. Version 2 of the guidelines was implemented in January 2012 having been updatedtoemphasise a people, process and technology approach to PCI compliance. This formalises the three elements involved to achievesuccessful compliance. Technology aspects include ensuring the appropriate level of encryption is in place and that anti-virus software is up to date: doing the basics well.In terms of people, it’s a case of educating employees and ensuring they are aware what the processes are, how to use technology, and how to avoid unnecessary risks. Improving security processes means examining how day-to-day operations run: Considering how data is handled, who has access to what information, and what checks are in place.
The basis of successful security is the same in any sector and it involves monitoring on a day-to-day basisand if an organisation commits to investing in processes, people and technology then maintaining and achieving compliance will be a much smoother ride.
Develop an individual plan
All financial institutions are a target of malicious attacks and it’s important to understand the specific threats individual banks and credit unions face, and where the risks originate. Previously, only the largest organisations were under threat, however hackers now undertake sustained attacks on companies of all sizes. Build a picture of the security landscape specific to your organisation, and this will help implement the right controls to achieve both security and compliance.
As already discussed, compliance doesn’t mean new technology, and the same can be said for cost. Throwing money into security isn’t going to solve any problems. By having a clear idea of the security and threat landscape specific to one bank or credit union, it will be possible to see where the focus needs to be, and you can direct IT spend to those specific areas of the business.
An approach which will make your security more robust and save money is the implementation of a tiered access system on a network. In most organisations, only certain parts of the network need the highest level of security, and not everyone in the organisation will need access everywhere. By limiting the number of people who can gain access to information, it will save time and money and improve security processes.
So, does compliant necessarily mean secure? Standards put in place such as PCI DSS are meant to ensure data handling is secure, however if businesses simply take a tick box approach, adhering to the compliance rules doesn’t automatically translate into a secure environment.
Banks and credit unions need to ensure each and every process they follow strictly adheres to security standards. Take a high level look at what the situation is, and where your business wants to be; then spend money in areas which really make a difference to the security of your business.
Organisations with strong security have clear ownership of different elements that make up a solid security structure. Businesses who just follow the compliance route will find they spend a lot of money and aren’t as secure as they could be. There are tools to help credit unions and banks map all the relevant regulations for their industry and sector andby making use ofthese tools, financial institutions will significantly lessen the compliance load.
Banks and credit unionsneed to take a security approach to compliance, not a compliance approach to security. Compliance shouldn’t be the end goal – it should be viewed as a tool to improve and used as a route to a comprehensive, robust security solution; thus delivering real value to the business