The Data Breach Survival Guide

When it comes to battling data breaches, banks would be well served by thinking small.

That doesn't mean the problem is shrinking - quite the contrary. Recent research from Verizon and the U.S. Secret Service says the number of enterprise data breaches is at its higher point ever - more than 760 breaches were recorded by the Secret Service in the past year.

What is changing is the focus of cybercrooks, who are changing tactics from the sweeping Heartland-style breach of years past, choosing instead to focus on smaller, more tactical attacks that are harder to spot and counter. The study conducted by Verizon and the Secret Service said that only 3% of the breaches they looked at could have been avoided without difficult or costly corrective action.

One of most recent bank victims is Citigroup, which in August reported a pair of data breaches. One exposed more than 92,000 customers in its Japanese card unit, when a person affiliated with an outsourcer illegally obtained inside information for a third party. But there was a bright spot to this unwelcome episode. Citigroup said that personal identification numbers were protected, so unauthorized use of the personal data to commit card fraud was unlikely.

A second incident followed later in the month in which Citigroup was tied to a breach at a retail chain, an incident in which Bank of America was also victimized.

Citigroup is just one of a number of major financial institutions and firms outside of financial services to suffer data breaches in the past year, with targets ranging from other large banks such as Capital One, retailers such as Michaels Stores, and government institutions as large as the U.S. Senate.

Each breach is a new black eye, giving assailants access to internal systems, where they can attach malware, find additional weaknesses to exploit, obtain information for whistle-blowing campaigns, or launch phishing attacks that dupe consumers and staff to turn over even more sensitive information. And leaks are particularly vexing since they're very easy to cause - a simple emailed attachment to an employee's home PC or mobile device, and a subsequent return email, can mistakenly compromise the PC, the attachment and the bank itself.

But there are things banks can and should do to make a major dent in the problem. "If you're running a data center, you're running a business, and protecting that business is a fundamental task," says Michael Versace, global risk director of IDC Financial Insights.

BTN polled a range of bankers, technology providers and analysts who revealed 10 of the biggest strategic moves a bank can make to protect itself. In most cases - such as dual authentication, access controls and document tracking - the technology requires an investment but is already widely available. And in other cases, the moves are cultural in nature and pose minimal cost for a financial institution. The following are some top suggestions from experts representing financial institutions, technology providers and the analyst community.

Create a cross-channel data protection plan. At Huntington Bank, CIO Zahid Afzal is busy working on a three-year information control program, in which every aspect of how the bank distributes information will be examined across all mediums and channels. One of the goals is to strengthen controls and access surrounding data and usage that is consistent across all business lines and activities, so there aren't different approaches to data security for different locations or departments that could inadvertently present opportunities for unwanted exposure.

The bank's board gets a progress report every quarter, and there is also regular input from an audit committee. "We're going to create a strategic security plan around this project," Afzal says. "Having an enterprise-wide view is critical, in my opinion."

Curb employees' web surfing. One theme that came up repeatedly among security experts is how easy it is for seemingly normal business activities of internal staff to accidentally expose an entire institution to a data breach. Email attachments, using personal mobile phones for work, and using home PCs for work can all indirectly place sensitive data in compromising venues.

That includes web surfing at work stations. Julie Conroy McNelley, a senior analyst at Aite, says banks should place restrictions on web surfing for staff that come into contact with sensitive data, either for customers or internal data. The employee activity doesn't necessarily have to be intended for fraud-simply visiting social networks can expose data or reduce the effectiveness of network protections.

"If you have access to sensitive data, you should not be able to go to Yahoo! Email or Facebook, for example," she says. "It presents an added point of compromise, another point of data leakage or fraud."

Get human resources and risk management involved. David Wallace, a manager at SAS, says human resources should be a substantial player in data protection, because that's the most natural home at a company for an employee's identity, job description and access privileges.

Knowing what each employee is allowed to do can go a long way toward preventing "Wikileaks"-style activities and crime, as well as safely closing an employee's internal access when he or she leaves the bank.

"When someone's leaving the bank, there needs to be a link between HR and IT to determine what kind of information the outgoing person had access to," Wallace says. In addition to human resources, most of the sources BTN spoke with said it can also be helpful to migrate some responsibility for data breach prevention to risk management, since risk can provide insight into how a new IT deployment in a specific department, such as a CRM program, may impact the data breach risk for other business units.

Deploy stronger authentication. According to the Verizon/Secret Service data breach study, 86% of records breached across all industries were the result of stolen login credentials. That places pressure on banks to enforce strong authentication for both employees and customers, pressure that supersedes any action by a regulator or standards body that recommends banks shore up authentication.

Strong authentication most commonly refers to two-factor authentication. Most security pros recommend multi-layered authentication schemes paired with one-time passwords, to protect against attacks in which criminals gain access to customer accounts, which enables the attacker to spot security weaknesses at the bank for further penetration.

Consider virtualization. Desktop virtualization projects that run a number of staff workstations off a single server in a centralized data center have lots of benefits in terms of energy use. But they can also concentrate leak and breach prevention in fewer locations.

"Virtualization allows you to take advantage of improved backup and recovery, and it extends the sophistication of the data center to the desktop," says Leda Csanka, vice president and CIO at Cetera Financial Group, which provides consulting services to financial institutions and independent wealth advisors. Csanka says virtualization has become a popular data protection technique for many financial firms. "The data is easier to back up and safeguard in a virtual environment because updates and patches all happen in the same place."

Try to protect data on remote devices and emailed documents. Remote work on laptops, PCs, smartphones and tablets are a fact of life for almost all corporate execs and consumers, who can inadvertently expose data to outside sources every time they send work home by emailing it to their PC or other device.

Beyond corporate use policies that are hard to implement and even harder to enforce (and don't extend to consumers at all), there's not a lot that a bank can do to shield internal information that finds its way onto an external device that may already be carrying malware.

But there are some preventative steps that can limit email-related exposure, namely formatting emailed documents in a way that maintains encryption through to the email's destination, yet still allows the content of a document to be viewed on the proper PC or mobile device.

"What's missing in the industry is a focus on the full life cycle protection of documents," says Adi Ruppin, vice president of business development for WatchDox, a tech firm that recently developed a SaaS-delivered virtual document-sharing appliance that installs a layer of security around documents, then recreates those documents in a way that is tailored for viewing only on individual handheld devices. "Most encryption goes from point A to B, but once the document arrives at a destination, it's in plain text and can leak out accidentally," Ruppin says.

Reform entitlements. A common data security problem for business banking customers is passwords that give employees the ability to pay bills and access to additional sensitive data. Like a lot of breaches, the resultant leaks are accidental - the user doesn't know that he or she is creating exposure by accessing or sharing the wrong information.

Jacob Jegher, a senior analyst at Celent, says banks can mitigate this risk by deploying an entitlement structure that sets up a hierarchy at different levels for corporate banking clients. This hierarchy gives individual users at a business banking client even more parsed access than simple password-based privileges, based on variables such as certain times of day, or tailored to very specific files or transactions.

"The problem is, banks are not making [entitlement] mandatory for business banking," Jegher says. "Businesses must be forced to do this kind of thing by banks, and banks have to teach businesses how to use it."

Develop a dashboard for breaches and other incidents. SAS' Wallace recommends an enterprise-wide governance, risk-management and compliance strategy that automatically loads all policy updates, management and incident tracking into a repository that can be accessed by all relevant parties in the bank at any time. "Any incident can get loaded into the repository, then you can track all events and when the cause is identified, that can get loaded as well," Wallace says.

Keeping this repository can help develop data breach controls based on a wide cross-departmental swath of intelligence that is regularly updated.

Suspect the worst. Fiserv chief risk officer Murray Walton says his firm has about a dozen IT staffers whose job it is to find vulnerabilities in his firm's firewall - which could impact bank clients downstream. "It's white-hat hacking," he says. "Better I find these vulnerabilities than someone else."

Monitor data in transit. Transferring account, transaction and business information between banks and other business partners opens a bank to the risk of unauthorized use outside of the network, where files cannot be protected by enterprise access controls.

One solution is file tagging. By placing visible and invisible digital watermarks on a file, the bank can determine accountability for information that leaves its corporate network. This tracking can determine when and where files are open, and detail usage of a file in real time. Alerts can be sent out when unauthorized or suspicious use is detected.

Rob Marano, founder and CEO of InDorse Technologies, says that as authorized users download spreadsheets or other documents to perform duties, "the firm will be able to track them as they are used both internally and externally."

Don't boast. Kris Kovacs, IT manager at Coastal Federal Credit Union in North Carolina, says it's unwise to loudly announce to the world that your financial institution is solid and secure from data breaches, fraud or any adverse event connected to the unwanted exposure or loss of sensitive information.

"Not making yourself a target is important. If you talk too much about how secure your institution is, you can become a target in a highly charged environment," he says. "You also risk giving away details about how you're protecting your data."

But that sense of propriety only extends to public pronouncements that can raise the ears of crooks. Kovacs says banks shouldn't compete on security. "Security is very collaborative," he says. "If there's a breach at someone else's institution, you try to help them. You don't call it out as a differentiating factor."