Banks are increasingly making use of the Internet of Things for all kinds of solutions, from measuring foot traffic to determine the optimal locations for branches and ATMs to using beacons to deliver personalized offers. However, just because something is new and innovative doesn’t mean it’s secure.
As banks adopt IoT and add more connected devices — sensors, Bluetooth low energy beacons, IP-connected cameras and more — to their network environments, they need to take steps to ensure that those devices, and the data sent to and from them, are as secure as possible. That’s especially true when customer information or proprietary bank data is involved.
The good news is that there are many sound approaches banks can take to improve their wireless network security, including strong encryption, network segmentation and a willingness to conduct penetration testing and replace connected devices if needed.
Finance Faces Mobile Security Threats
It’s clear that financial institutions see the potential threats that IoT and other wirelessly connected devices can bring. In Verizon’s “Mobile Security Index 2018” report, 25 percent of those surveyed who work in the financial services sector reported that they have experienced a mobile-related incident and 18 percent said it was a major one with lasting repercussions.
“If you don’t have a detailed appreciation for the security risks, you’re more liable to make a trade-off that affects security,” Justin Blair, executive director of business wireless services for Verizon, tells American Banker.
Meanwhile, 85 percent of bankers surveyed said mobile devices are a risk, with 37 percent saying they're a significant one. Financial services companies were most likely to agree that IoT is the greatest security threat facing organizations — 93 percent agreed, with 19 percent of those strongly agreeing.
The 93 percent figure could that high, Blair says, because bankers in the survey were likely thinking of ATMs and other devices that are connected to wireless routers as being IoT devices.
Network Segmentation, Encryption Help Secure IoT Environments
For banks looking to secure IoT devices in their branches and offices, there are lots of ways to ensure that the data they send and receive is protected and that they can’t be used to launch attacks on other parts of the network.
One clear strategy is network segmentation, which isolates IoT devices and mitigates the risk that one part of the network will be able to influence and harm other parts. Threats that do attack IoT devices can be limited to a controlled part of the network. “Existing best practices, such as network segmentation, will help take some of the security load off of these devices,” Marc Blackmer, product marketing manager, industry solutions, for Cisco Systems’ security business group, tells CDW.
Banks also need to ensure that the same security tools they use for their wired networks and computing equipment gets carried over to IoT deployments. “Strong encryption, robust authentication, compartmentalized access and other IT practices commonly used to remotely manage computer networks should also be applied to remotely managing IoT networks,” Michael Tennefoss, vice president of strategic partnerships for Aruba Networks, a Hewlett Packard Enterprise company.
Yariv Fishman, head of product management for vertical solutions and IoT at Check Point Software Technologies, an IT security technology provider, tells BizTech that “establishing an encrypted virtual private network connection between a device and the network helps eliminate potential attacks, such as ‘Man in the Middle,’ that compromise the integrity and validity of the information provided from the device to the network and vice versa.”
Next-generation firewalls along with identity and access management tools can also help. Banks should also be willing to replace existing IoT devices if new ones come out with comparable features and enhanced security protections. For this reason, customers should expect to replace IoT devices on regular intervals that are based not on operational life, but rather on the expiration of security defenses,” Tennefoss says.
It’s also important that banks sometimes think like malicious actors to identify vulnerabilities in IoT devices. “Bring in penetration testers on a regular basis, and if you can’t afford to do that, conduct red team exercises with your staff,” Blackmer says.
IoT holds a great deal of promise for banks, but innovative solutions need to be deployed securely. Luckily, there are lots of ways to make that happen.