A June 26 email caught the attention of Mary Erickson, financial services officer at Altra Federal Credit Union in Onalaska, Wis. Purportedly a member, the writer requested the overnight transfer of $12,950 to a client. While the sender stressed the urgency of the transaction, he also said he would be in a long meeting and unreachable.
“Things didn’t sound right,” Erickson later recalled.
Upon closer inspection, Erickson discovered the sender’s email address differed from the actual member’s address on file — one character was missing. Eventually she reached the member, who was relieved that his account was safe and that Altra FCU had alerted him that his identity had been stolen.
“We can put up all kinds of defenses, but it still boils down to the people,” says Brian Boettcher, vice president and CIO at Altra FCU. “We want to trust everybody, but at some point, you’ve got to say, ‘There’s something not quite right here.’”
Small and medium-sized financial institutions are built on trust. To gain customers’ loyalty, they need to build relationships. At the same time, it’s their job to keep customer data secure — a job that grows increasingly challenging as online and offline security threats also continue to evolve. To fully protect data, financial institutions must employ several layers of defense, including technology tools, sound policies and employee training.
When it comes to technology, “small businesses should think about protecting data just as larger businesses do, with layers of defense and detective gates and analytics that intruders must successfully navigate in order to get to the information,” advises Michael Versace, global research director at IDC Financial Insights. Firewalls, intrusion detection and prevention systems, layers of authentication, and encryption technologies are valuable in that regard; however, training employees about their roles and responsibilities in keeping data secure is just as important.
“We spend a significant amount of time educating our employees with respect to keeping member information confidential,” Altra’s Boettcher says. “Brute-force attacks are getting more and more difficult for the bad guys. They still happen, but it’s the social engineering that seems to be the exposure that financial institutions have.”
Assemble a Defense
Altra FCU hosts a variety of security training sessions on a monthly, quarterly and annual basis, “so that people keep it in the forefront,” Boettcher says. The institution also conducts periodic penetration testing by hiring hackers to attempt to break into its systems.
“The human condition tends to be trusting. People think, ‘Well, who would do that?’ ” Boettcher says. “Our goal is to let employees know the different techniques hackers will use, and expose them to that paradigm.”
In addition to external penetration tests, Altra performs monthly scans of its internal systems. “It’s not just a one-and-done kind of thing,” Boettcher says. “Our environment changes as we grow. We just opened a new building; we’re adding branches and new employees.”
Vulnerabilities, as well as the types of attacks launched at any given moment, constantly change and evolve.
“The biggest threat now is receiving emails that have a genuine employee’s name as the sender but have a malicious payload or link,” says Peter Herschel, director of IT at Gemino Healthcare Finance in Philadelphia. Other common threats include links to what appear to be invoices or shipping information.
Because Herschel is a one-man IT shop, he leverages the cloud for help with managing such complex and ever-changing security threats. Before an email is delivered to Gemino’s server, it goes through McAfee’s Security as a Service Email Protection service, which scans and flags suspicious messages and any attachments or links within them. McAfee’s cloud-based service hosts the central console and manages deployment; Herschel needs to install it only on employees’ computers.
“The fact that the management and the updating is cloud-based means I don’t have to dedicate anything in the LAN for it,” Herschel says.
It’s increasingly important for smaller firms to engage outside experts when in-house capabilities and capacity are limited, Versace advises.
“If institutions have doubts about their internal capabilities, they really need to seek out partners and services that specialize in cyber and data protection to deliver the security and privacy controls their customers expect them to have,” he says.
Build a Fort
While some employees may be trained to spot suspicious activity, financial institutions can put up several defenses to keep threats from ever reaching them in the first place.
For day-to-day email, Altra uses a Microsoft Outlook plug-in from Barracuda that scans emails for sensitive information and alerts or blocks users before sending sensitive data. When employees and members must exchange such sensitive information, they use DataMotion’s cloud-based SecureMail and SecureContact solutions to send encrypted email. Raritan Bay Federal Credit Union in Sayreville, N.J., uses Microsoft’s BitLocker Drive Encryption to protect data on its HP notebook computers.
IT Manager Carey Hnath says Raritan Bay also embarked on a multiyear initiative to replace all of its desktops and notebooks and upgrade to Windows 8 Pro before Microsoft ended support for Windows XP in April.
“We couldn’t take that risk,” Hnath says of running Windows XP without patches from Microsoft. “There are some things you can’t avoid, but that was one thing we knew we could take care of on our end.”
An intrusion detection system notifies IT when and if malware hits a machine or anyone attempts to break into a machine, Hnath says. “It can be in the middle of the night, and I would get a call saying a machine’s been infected. I can isolate the machine off the network so it doesn’t affect anyone else, rather than wait until the next morning,” he says.
Hnath trains the company’s 35 employees not to open unexpected email attachments or visit unknown websites, but Raritan Bay’s content filtering system also serves as added protection.
“Security is a two-way thing: It’s both internal and external,” he says. “Not only are you getting people from the outside trying to get in, but also from within your own staff there could be a problem. Someone could visit a website that causes malware to be downloaded without even realizing it.”
When one of Gemino’s computers fell victim to last year’s CryptoLocker virus, the damage spread, putting documents in one shared network folder at risk.
Fortunately, Microsoft Security Essentials terminated the virus before it could do any lasting damage. While Gemino uses a disaster recovery service, backups are continuous. If Herschel had restored from that, in some instances he would have restored useless documents. For that reason, he makes it a point to also keep offline backups, maintaining tape backups of all servers.
Raritan Bay FCU maintains hard drive cartridges on site and backs up to the cloud nightly. For cloud storage, it uses Fiserv, which has multiple facilities and encrypts data as it’s transmitted, Hnath says.
“Backups are important, and not only having the backup, but making sure the backup is secure,” he says.