Best practices for preventing bank breaches | BLOG
It's no surprise that banks are a highly lucrative target for cybercriminals. After all, if you're a hacker scoping out your next victim, wouldn't you want to choose something that gives you the most direct access to money?
"Banks are prime targets for hackers - and they need to institute better defenses."
As of November 3, there have been more than five million records breached so far this year within banking/credit/financial organizations, according to data compiled by the Identity Theft Resource Center. While one might think that only big banks are the targets, this is hardly the case.
Sure, hacks like the JP Morgan incident — which led to U.S. authorities getting involved and arresting five suspects — are bound to get the most traction in the news. But in fact, hackers are looking to attack banks and credit unions operating at any scale.
Hawaii First Federal Credit Union: At the beginning of September, SC Magazine reported that Hawaii First Federal Credit Union had experienced a likely breach due to an employee's email account being accessed by an unauthorized person. Unfortunately, the access to this individual's email account meant that data like customer names, bank account numbers and even Social Security numbers were potentially compromised. If a hacker has access to these three data points, that's the kind of information he or she can use to assume someone's identity and lead to even greater consequences.
For Hawaii First Federal Credit Union, the attack prompted a quick response, although the bank was not able to disclose how many records were potentially compromised. Still, as SC Magazine reported, the credit union immediately took steps to ensure that the hacker was removed from the compromised email account in question and that passwords were changed as a result. But while those proactive measures are important, the entire incident begs the question of why an email-based hack happened in the first place. For a credit union, one would hope that its email network is suitably guarded with top-tier identity-vetting tools. After all, email represents one of the first places that hackers will look to attack, so it's an arena that banks need to be sure to defend. Evidently, though, Hawaii First's email security was not up to par, given that it was hacked.
Woodbury Financial Services: Based in Saint Paul, MN, Woodbury Financial serves a client base that extends to other states. On July 27, Joseph Foster — attorney general of New Hampshire — received a notification from Woodbury that a breach had occurred. The reason Foster was the one to receive the letter is because the particular data that had been compromised had belonged to residents of New Hampshire. As the letter explained, the attack had occurred due to a phishing scheme. While the Hawaii First hack stemmed from a single compromised email account, the Woodbury incident involved a single laptop. The hacker was able to access this laptop — which belonged to a Woodbury representative — thanks to the success of his or her phishing scheme. As with the Hawaii First hack, Social Security data for customers was compromised.
To its credit, Woodbury responded to the incident promptly by not only reaching out to potentially impacted individuals, but also by giving these individuals two years of free credit monitoring. This has become standard practice for enterprise breach remediation as it relates to impacted consumers. Still, just as with the Hawaii First hack, the question of why the Woodbury incident happened in the first place is bound to arise, and it could even be the kind of question that deters patrons from continuing their business with the institution. While they are widely present and impact many individuals and businesses, phishing attacks are relatively straightforward to prevent with anti-phishing solutions.
Time for banks to step up security
As recent bank hacking incidents have illustrated, these institutions represent top targets for cybercriminals. For that reason, better cyber defenses for banks are required across the board.
Here are some of the security steps that banks absolutely need to take:
Guard email: As the Hawaii First Federal incident illustrated, an email hack provides a window for a hacker into a potentially huge repository of privileged patron data. Yet all too often, enterprises don't do the work required to ensure that email security is up to par. With an ever-expanding sphere of phishing-based attacks, the time is now to change that. Fortunately, banks won't need to worry about that being a massive undertaking: With a secure email tool, banks can ensure that they reach an optimal level of email security without having to concern themselves with a cumbersome infrastructure change.
Implement cutting-edge fraud detection: As a bank, you do not want to be caught off guard with instances of fraud. Instead, you want to stop those events dead in their tracks. With fraud detection centered around behavior-based solutions, you can. One example of such a solution is Entrust TransactionGuard. This resource functions as the ultimate fraud fighter, employing an integrated framework that allows financial institutions to keep track of transactions in a multi-channel/application environment. TransactionGuard's ability to seamlessly integrate into complex business environments is what makes it a tool that's so well-suited for the banking network security needs of today.
Make sure mobile security is up to speed as well: In the race toward better bank network security, there is one facet that must not be overlooked: mobility. Just consider how many people rely on mobile apps to conduct their day-to-day banking. For financial institutions, they don't just have a responsibility to customers to provide mobile solutions, but also to secure these solutions. That's why mobile security is an indispensable part of overall financial institution protection. A good banking mobile security strategy will meet several key factors, including:
Providing app protection to all customers using the bank's application.
Monitoring transactions and other activity to ensure that nothing is happening to suggest a malicious individual has access to the device.
For bank employees who use their mobile devices, training them in the fundamentals of device security is very important.
Additionally, mobile devices can serve as a means of enhancing security if banks make the right move and deploy mobile devices as authenticators for customers and staffers. This can be done via the Entrust IdentityGuard Mobile Smart Credential.
Banks and credit unions operating at every level need to realize that they are a prime target for hackers and act accordingly. Entrust's financial institution-based cybersecurity solutions offer these enterprises the best line of defense against hackers. Contact us today to learn more.