A recent study by LexisNexis Risk Solutions revealed that for every dollar lost due to fraud, financial institutions spend $2.92 when considering fees, fines, labor and other costs associated with fraud prevention. The new “hot topic” driving up costs, is the uptick in the use of mobile applications. However, despite the need to protect an additional endpoint, financial institutions must also secure all existing access points, including the physical buildings, and all the assets and data maintained therein.
The Regulatory Environment in Financial Services
The nature of the business creates particular vulnerabilities specific to the financial industry. Companies seek to protect confidential client information, data, assets, and intellectual property. Losses cost banks money in terms of actual financial losses, the loss of customer trust, and the cost to the company’s reputation.
Financial institutions must meet security requirements across the regulatory arms of the GLBA, CFPB, SEC, FDIC, GSE, Federal Reserve, Dodd-Frank Act and more. In this highly regulated industry, compliance teams struggle to keep up with both changing laws and changing interpretations of existing laws.
The higher standard of care required for financial companies means that every device, cabinet, and desk, which contain sensitive information, must be secured at all times. Secured items could include desks, file cabinets, teller drawers, computers, laptops, tablets, smartphones, and any device or location storing or containing sensitive information or company assets.
When accessing security vulnerabilities, it is necessary to address every endpoint and every consumer access point, requiring a multi-layered approach to security in order to remain compliant with the various regulatory laws.
Distinguishing Between Threats and Vulnerabilities
Accessing the top security threats and vulnerabilities begin at the office level. From a security perspective, NASA distinguishes the difference between a threat and a vulnerability as follows: “A threat is a person or an event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized.” For example, “An armed bank robber is an example of a threat. A bank teller is an example of a valuable resource that may be vulnerable during a bank robbery. The bulletproof glass between the robber and the teller denies the robber the opportunity to shoot the teller.”
Top Security Threats in Financial Offices
The top three threats to financial offices include the following:
- External security breaches from an outside source, which includes all entry points, both physical and electronic.
- Internal security breaches from an inside source. Employees can purposely or inadvertently cause a security breach. Employees have authorized access to data, assets, and proprietary information making them a potential security threat to the company.
- Third party vendor breaches. Outsourcing is an effective way to cut costs. However, the regulatory environment within the financial industry often holds companies liable for a security breach involving a third-party vendor.
Top Security Vulnerabilities
The Vulnerability: The Technical Defense or physical security measures are a fundamental part of any security plan. Without secure buildings, information, network, and software security are vulnerable to losses due to a security breach. When financial companies seek to secure physical buildings and valuable assets and data stored within those buildings, they must consider theft, vandalism, natural disasters, and accidental damage.
The Solution: Having the right technology in place will reduce the risk of loss due to a data breach. Technological advances can reduce costs and improve protection against internal and external vulnerabilities. For example, Senseon locking devices will track access control within an office file cabinet or drawer, allowing a company to pinpoint an internal breach, where the auto locking feature can thwart outside intruders from gaining access to sensitive information or customer data.
The Vulnerability: Policies and Procedures that meet regulatory requirements are an essential security element for every financial service firm. A careful look at the company policies and procedures as well as policies in place with third-party vendors will ensure they meet the high standard of care required by regulators. In addition to having the appropriate policies and procedures in place, companies must also review the failure rate of these practices, which could reveal areas of weakness that companies must address.
The Solution: A careful review of both existing policies and procedures and their effectiveness could uncover vulnerabilities. Look for existing policies, which employees do not implement correctly or consistently. Procedures that add little value to the scope of the security they offer, and policies which staff members ignore due to their complexity. Effective policies and procedures must not only be in place and in writing but must be practiced consistently.
The Vulnerability: Staff Training must include more than a knowledge of the rules and expectations. When employees are untrained and unaware, they can become susceptible to leaks unintentional security breaches. Educating employees not only in the procedures to follow but also why the rule is in place, will better protect the company from a security breach due to an employee’s failure to follow established protocols.
The Solution: The best policies and procedures are ones that are built into the daily routine of employees to ensure compliance every day, every time. Procedures not embraced by employees can feel cumbersome, leading to shortcuts or outright ignoring existing procedures designed to secure company assets and data. Policies which appear to be more of a suggestion than a rule can lead to a casual approach to compliance-driven policies and procedures. Best practices and improved training will help employees properly implement policies and procedures designed to protect both the employee and the assets and data stored within the company.
A formal assessment of existing security protocols can identify the specific vulnerabilities in your financial office or building. You can then determine the appropriate countermeasures which will provide the highest return for your investment. While it is impossible to eliminate every threat and vulnerability, advances in technology and new products available on the market can improve the effectiveness of security measures.