Why Financial Institutions Need Data Encryption Education
For industries across all verticals, falling victim to a data breach is considered the ultimate kiss of death. Aside from having to deal with the aftermath of a damaged reputation, the costs and labor required to clean up the mess aren’t worth the risk of casting a blind eye to better security.
For financial institutions in particular, government and industry mandates are a major driving force behind the need to better protect an organization’s data – both corporate, as well as customer. There are ways in which these companies can ensure the protection of their data and prevent the occurrence of a targeted data breach.
A number of major players in the financial space have been working to fight back against these criminals. Since 2004, leading brands like American Express, JCB International, Discover Financial Services, Visa Inc. and MasterCard Worldwide have formed the Payment Card Industry Security Standards Council; working together, this group has agreed to incorporate the Payment Care Industry Data Security Standard as a technical requirement for each of their data security and compliance programs. Some of these requirements include implementing strong access control measures, regularly monitoring and testing networks and protecting cardholder data.
While the program based on PCI DSS is a start, there are still a number of steps that financial institutions can take in the fight against malicious data hackers – one step in particular involves encryption. A lot of banks assume that if hackers aren’t trying to actually access financial data, it means that said data is safe. Unfortunately, this assumption is a common mistake that needs to be addressed. Financial information that is stored on a device (think laptop or mobile phone) is often overlooked because users assume (yes – there’s that word again) that data is protected; hackers can still get into a system and access confidential financial information. The only way to avoid an issue is by encrypting data while it is at-rest. Encrypting data at-rest means that if a device is stolen by even the most advanced hacker, the information on that device is out of harm’s way.
Financial institutions such as banks and credit unions must be able to access the path of personally identifiable information, or “PII.” Solutions like sniffer tools or network traffic monitoring software can allow these organizations to locate data in-flight and know exactly where each piece of information has been on its way to an end-point destination. These types of offerings can also tell whether or not certain pieces of information were actually encrypted during their transmission – ultimately allowing an IT administrator to know if there is a potential threat before that data has even been accessed. They also have the ability to inform you on which specific network devices are storing PII at any point in time. By doing this, the institution will be able to make the appropriate security adjustments based on potential threats, keeping employees and customers out of harm’s way.
When it comes to encryption, financial institutions must make sure that they have a policy in place that is not only mandatory, but also manageable. These organizations are constantly making adjustments to their security standards, therefore it’s imperative that these adjustments can be easily controlled. Technically speaking, this kind of policy should really include the use of encryption with a minimum 128-bit keys (or stronger) as well as multiple rounds of testing before the policy is ever implemented. IT professionals within the organization should be conducting an audit of a sample of systems post-deployment. Role-based controls are also a must when executing this type of security platform. Only individuals at certain roles within an organization should have the ability to make these sorts of adjustments or control these pieces of highly-sensitive information. Consistent and on-going audits are also always suggested to make sure that the highest level of data security and the most up to date encryption policies are being enforced.
No financial institution wants to deal with the reputational damages that a data breach can bring, particularly with how painful and long-lasting the repercussions can often be. When confidential information is lost—or even worse, stolen—all parties involved, whether that be the employees within the organization or their customers, want the validation that their private financial information is still well out of harm’s way thanks to a strict data security policy.
Mark Hickman is chief operating officer of data security at WinMagic. He can be reached at 905-502-7000 or firstname.lastname@example.org.