In light of the recent data breach at Target, IT risk buzz words are swirling the banking industry, and rightly so. The cost of a security breach can cripple any business and, certainly, a financial institution.
The Target breach has cost banks at least $200 million related to card reissuance and increased customer service activity with impacted account holders. So far, there are approximately 80 lawsuits against Target by banks and consumers, in hopes of recovering losses.
You may be thinking to yourself, “Only the largest banks and card issuers have the same exposure to hacking or cybercrime as a retail giant such as Target.” While the largest companies have more PCs, network devices, and people (via social engineering) to hack, organizations of all sizes are vulnerable. In fact, the root of the Target breach was traced to a 125 employee, privately held HVAC contractor doing business with Target. The contractor was connected to Target’s systems using an EDI-type interface for invoicing refrigeration services. Hackers compromised the HVAC contractor’s IT system and piggy backed into Target's network. While you can’t control the security of cardholder data outside of your networks, financial institutions can significantly reduce the impact of a large scale breach by implementing a sound risk management program. Such a program incorporates active network security monitoring, vendor risk monitoring and incident response handling. As a start to assessing your IT risk universe, financial institutions should answer the following three questions:
1) Are you actively managing network security?
The IT network infrastructure is often the first line of defense in ensuring the organization operates efficiently, while keeping unwanted intruders out. Trust, listen, and act on network monitoring devices that alarm you to issues on your network.
In a recent report prepared for the U.S. Senate, analysts noted that Target failed to respond to warnings from their intrusion detection systems. These anti-intrusion systems were alerting the security team of the hacker’s activity from day-one of the several-day data breach. Could the more than 80 lawsuits have been prevented with active network security monitoring?
2) Are you well positioned to manage the risks associated with external vendors?
It is one thing to understand and assess IT risks within your organization, however, understanding your vendors’ IT environments and associated risks is often overlooked. In the same report prepared for the U.S. Senate, the analysts described numerous deficiencies in the HVAC contractor’s information security policy, which eventually led to the breach impacting up to 100 million Target customers.
A simple compliance requirement or review of vendor information security policies could have prevented the financial and reputation damage caused by the headline data breach. What is your policy on allowing external access to your network? Does your financial institution ensure all vendors have a sound information security policy?
3) How would your financial institution respond if it was impacted by a data breach?
Currently, 46 states have laws regulating customer notification after a breach resulting in unauthorized access to personal information. Financial institutions should have a well-defined incident response policy to minimize exposure, as well as communicate with stakeholders, the media and law enforcement.
Often, the largest costs of a security breach are the intangible costs associated with loss of customer and stakeholder trust. Financial institutions with well-defined readiness and response plans to protect customers in the event of fraudulent activity, or exposure to compromised retail systems, can greatly reduce financial and reputation loss.
The technology environment in financial institutions presents numerous risks which, if unmitigated, can lead to significant tangible and intangible costs. Securing your organization’s network and developing sound incident response plans is not without significant resources and investment.
However, history has shown that the outcomes of neglecting IT security and incident response are far more costly than the investment required to initiate preventative efforts within an organization.
Mike Skinner is a member of HORNE’s Financial Institutions practice area, and leads our Information Technology Assurance and Risk Services team. He has fifteen years of experience with IT audit, internal controls, regulatory compliance, IT security consulting, and business solution implementation.
Don't forget to sign up for our blog to receive regular updates of new postings.