Data breaches have increased by 400% during the Covid-19. The culture of Work from Home has been a major contributor to the increased instances of misuse – intentional and unintentional and exposure of confidential data. No organization is immune to such threats, but banks and financial institutions find themselves at a higher risk because first, they by virtue of business have to store personal and financial data of people, and second, they are answerable to the world’s strictest class of regulators (normally, the central banks). Remote working is now getting infused into the work culture and even banks and financial institutions or FIs cannot avoid it, so instead of stepping back, leaders are now focusing on adopting technology infrastructure that can make them immune against not only these vulnerabilities but also will help them to comply with relevant data security compliances.
What are the major threats that FIs face?
The threats can be broadly classified into intentional and unintentional. In intentional cases, the data is compromised knowingly by someone having the access to confidential data, whereas unintentional threats are the result of carelessness of the employees or flaws in the system that grants the opportunity to someone with evil intentions to steal the confidential data. While intentional breaches have been on the radar for a long time and multiple policies might be in place already, it is important to realize that getting help from IT experts is not very readily available to employees working from home. And, by the time employees realize that their personal device or home network has been compromised, it’s already too late. The damage is irreversible and may even lead to complications with FI’s license.
How to ensure maximum security while reaping the advantages of work from home culture?
Of late, more and more companies have BYOD (Bring Your Own Device)policy and providing secure access by use of dongles which help in connecting to virtual desktop running on central servers so that security is not compromised (e.g. copy-paste, download, etc. to their own device).
The usual security policies implemented by the IT team include encouraging the use of company-provided systems that have limited access to physical ports, restricted browsing access, continuous log generation, and state-of-the-art anti-malware applications. The age-long security protocols are important but no longer sufficient.
A shift has been observed where FIs have tweaked their process of vendor selection based on what additional security features do they offer. While the internal IT team has complete control over the underlying infra, they have limited control over how the 3rd party systems use and transmit the data.
The Basics: Single sign-on, strict password policies, user privilege and rights management, multifactor authentication, user-specific data sources, application activity auditing, etc., are now the must-haves.
Key security features that FIs should consider while evaluating any technology provider:
1. AppSec: Application Security is the process of finding, fixing, and preventing security vulnerabilities. Its final goal is to improve security practices. Any solution that a FI deploys should periodically be tested against the latest security methodologies, and also passed through specially designed tools.
2. Encrypted data storage and transmission: AES and SHA are amongst many encryption algorithms which are highly secure. Encrypted transmission of data prevents the threats of less secure home/public networks which are unavoidable in the work-from-home scenario.
3. Intelligent data handling: Abstraction at the level of data and documents is important. All consumption of data should be from a central location. In an ideal scenario, the documents should never be downloaded on local systems, instead, those should be rendered as a view within the application.
4. Support to latest versions of underlying software: The FIs are the first adopters of the latest technology platforms. These technology platforms further depend on underlying software including databases (like Oracle and MySQL), frameworks like (jQuery, Springboot and Apache), and other open-source libraries. It is important for the technology providers to be committed to adopting the security advancements of the latest versions.
By: Ajay Agarwal, Founder & Director, Servosys Solutions
