Community banks and credit unions play a vital role in the country’s financial system. In the face of strong competition from larger banks, they seek to differentiate themselves by delivering a more personalised banking experience. At the same time, they face unique technology and information security challenges that affect their ability to compete and grow. Working with limited resources compared to their larger competitors, they must find simple and creative solutions to reduce risks, meet compliance requirements and safely embrace new technologies.
These days, customers expect their local banks to deliver their services above and beyond any large national brand bank – with a more personalized experience while also with the expectation that their personal data is secured and protected. As stated in a report from the Financial Services Information Sharing and Analysis Center’s Credit Union Council, “Customers are becoming increasingly aware of cybersecurity threats and they expect their banks and credit unions to secure and protect their private financial information.” Also, banks have validated this trend by reporting that losses due to operational disruption and losses in customer trust are more financially damaging than losses due to regulatory fines.
Community banks strive for security controls that measure up to those of their major competition, yet they face obvious resource constraints. As a recent Security Magazine report put it, “Although threats and risks are equal and agnostic, size does matter when it comes to resources financial organisations use to prepare for, and respond to, cybersecurity issues.
UNIQUE SECURITY CHALLENGES
As they seek to achieve security at scale, community banks face challenges in five key areas:
Third-party access: Smaller banks are often reliant on a network of partners, service and data providers. They need the means to isolate, protect and enforce third-party access routes, while limiting access only to approved applications, systems and environments – all without sacrificing flexibility. Attackers frequently exploit weak third-party connections, including access through IoT devices, to gain access to a bank’s network and start moving laterally.
Cost reduction: Finding business practices and technologies that enable cost savings is paramount to community banks. A juxtaposition to innovation, community banks always weigh cost savings as a factor in their IT and business initiatives.
Cybersecurity compliance: While community banks generally look to the FDIC for cybersecurity guidance, there are about 15 agencies on federal, state and local levels that impose additional cybersecurity requirements. Recent years have seen a number of high-profile cases in which criminals have compromised electronic funds transfer and payment systems, not by penetrating those systems themselves, but by gaining access through the client bank’s network. Therefore, third- party core banking service providers often include specific cybersecurity requirements in their contracts. Banks must figure out how to efficiently address these requirements and regulations.
Cloud migration and new technologies: Community banks and credit unions are looking to reduce their IT footprint and gain operational efficiency by moving their operational workloads to the cloud, often combining on-premise data centers with private or public clouds. They are further looking to create a differentiated digital customer experience with cutting edge technologies. In fact, cloud adoption has been the top ranked emerging technology, irrespective of organisational size, cybersecurity maturity or cybersecurity budget. Banks must be aware of and take measures to mitigate the security risks that accompany new technology adoption.
Breach mitigation: It’s no surprise that financial institutions are prime targets for cyber criminals, who are looking not only for easy money but also for the wealth of private information that customers entrust to their banks. Perimeter defenses are essential, but unfortunately, breaches have become business as usual. While a larger organization might be able to weather the storm after a breach, the fallout and reputational damage can be devastating to a community bank. In fact, an estimated 43% of breaches in 2019 targeted smaller organizations.
VISIBILITY AND SEGMENTATION ADDRESS KEY CHALLENGES IN COMMUNITY FINANCIAL INSTITUTIONS
The common theme running through these challenges is the need to separately secure critical application workloads and many of their third party provided applications and infrastructure – commonly referred to as segmentation. It allows community financial institutions to achieve security at scale by addressing several key requirements, while still moving at the speed with their business demands.
Secure cloud adoption: Lack of visibility into network traffic and digital assets can make the move to the cloud virtually impossible. As a starting point in the digital transformation journey, community banks need to have an accurate inventory and map of all their core and critical applications, their dependencies and the network traffic they generate. This visibility will provide a foundation for the ring-fencing controls to allow seamless migration of the applications into the cloud, along with their security policies.
Protecting third-party access: Third-party outsourcing or software provider traffic needs to be properly routed, usually through a “jump-box” in the DMZ to a single termination point within the data center and be restricted from traveling across the bank’s network. This is essential to prevent attackers from “landing and expanding” through a third party’s compromised system.
Isolating money transfer and payments systems from general IT: Providers of electronic funds transfer and payment systems, notably the Federal Reserve’s FedLine service, typically demand strict separation of their services from the institution’s general IT environment. Segmentation enables bank IT teams to set boundaries around the service provider’s “zone” and prevent unauthorized access.
Reducing risk by limiting lateral movement: Today, the majority of data center traffic is lateral between applications (east-west) rather than entering the data center from outside (north-south). With flat networks, the reality at many organizations, it only takes a breach of a single machine to give bad actors a foothold from which to access sensitive applications and data. Segmentation can effectively protect against lateral movement and reduce risk by ring-fencing business-critical applications and systems.
Addressing compliance and cyber regulation: Segmentation gives banks an efficient way to comply with both the vendor requirements and cybersecurity regulations from multiple agencies. Accompanied by deeper visibility with a single pane of glass, it allows them to demonstrate that they are taking effective measures to secure critical assets, mitigate fraud risk and protect customer privacy.
Cost Reduction: When done correctly, segmentation can actually reduce costs community banks face. The key word is correctly. To understand what it is to do segmentation correctly, one must first look in the next section how it should and should not be done.
However, as these financial institutions attempt to achieve security at scale, they face challenges in five key areas:
- Third-party access
- Cloud migration & new technologies
- Cybersecurity compliance
- & two more
Download this white paper to unlock the remaining challenge areas and discover the efficacy of various security approaches being used by various institutions.