Banks and financial institutions are feeling tensed when it comes to data security and this is because of the media buzzing with reports on data breaches in financial sector. The year 2015 witnessed several such data breaches and the one which grabbed the most attention was JPMorgan becoming a chief victim of one of the biggest bank breaches in history.
According to Wall Street Journal, hackers intruded into the network of JPMorgan and took hold of contact and payment information for some 3,500 customers. The issue which when probed by FBI, proved as one of the biggest orchestrated massive computer hacking crimes, from approximately 2012 to mid 2015.
Going with this notion, until as recently as a year ago, banks denied even using cloud applications due to growing data security issues. But today, the truth is out that on an average, financial institutions are using 690 apps per enterprise, with 91 percent of them not meeting critical security standards.
So, does this mean that all those institutions out there are ignoring security parameters and are indirectly offering backdoors for hackers and ransomware initiators?
Truthfully, yes, to a certain extent. Very recently, after witnessing a lot of security breaches and threats in media, financial institutions like banks began to scratch the surface of locating sensitive data located in these cloud apps which are mostly offered by aggregators. It was discovered that for every 100 files scanned in sanctioned cloud storage and file sharing applications, six are found to contain previously unknown sensitive data, including personally identifiable information, payment card industry information and protected health information.
Externally, there’s big pressure on banks to satisfy a growing customer appetite for the speed and convenience that apps — especially mobile ones — bring to banking customers. With 52 percent of smart phone owners performing at least one mobile banking transaction last year, the desire is definitely there.
That said, 45 percent of financial institutions were the target of an economic crime last year (the average across all industries is 34 percent), and 11 percent of Android-based banking apps are suspicious or contain malware.
Banks know the likelihood of a security event is heightened for their industry, and they also know they are on the risk should things go wrong. If the financial institutions are still trying to understand their own internal data risks, how can they possibly get comfortable with aggregators, such as Mint.com (a well known aggregator) for example, accessing account holders’ data?
The next logical question is how secure the aggregators are?
According to Gartner, 94 percent of finance and accounting apps are not enterprise-ready in terms of security, compliance and privacy. This means they score below a 65 out of 100, or are rated “medium” or below.
The research firm also looked out at several aggregator examples, and identified some common security and compliance issues, which are as below-
- Lack of audit trial and business continuity when disaster strikes-With limited or no auditing of user or data access, banks and financial institutions will find it difficult to reconstruct an audit trial in the event of a security breach or data compromise. Also, in the absence of critical business continuity features, ensuring uptime in the event of a disaster will be very tough.
- The encryption dilemma- In many bank related data environments, lack of encrypting resources is often seen for data at rest and in cloud. This is due to the fact that encryption is sorely lacking in many aggregator apps. Banks need to know and accept that any encrypted data is encrypted with the aggregator’s keys and not their own, which is equivalent to making the aggregator, and not the bank, responsible for data security. But not aggregator takes the blame in reality.
- Giving multi factor authentication a miss- Some aggregators do not offer multi factor authentication, especially for those transactions happening on phone or online banking. This makes user accounts more susceptible to compromise, which may put the bank at heightened risk of inappropriate data access or breach. Here also, the blame should be at the aggregator’s end.
So, what’s the solution?
Banks that partner with aggregators need to know not just how secure the aggregators themselves are, but also whether and how those apps integrate with their ecosystem partners, and whether all those other apps have adequate security precautions.
In general, this is not an easy job and needs a professional help mainly when it comes to data security.
DNF Corporation offers professional help to banks and financial institutions to evaluate their existing encryption strategy and policies. This process will start with getting detailed asset information on your organization’s hardware and software environment, sensitive data, and current security policy management sets.
Also, DNF will help in reviewing data security of services offered in the banking environment. This includes services offered by aggregators and third party institutions which are in tie up with the bank and working in the ecosystem.
For more details call 510.265.1122 or click on DNF corporation web link