As our avid readers will know, Wayne’s last blog looked at the relationship of APTs and The Insider Threat – bound together by the thorny issue of privileged user abuse. Now, let’s turn and consider what this two-headed monster means for the financial services environment from a compliance point of view.
Maintaining security and compliance in this sector is non-trivial. Typically, organizations like banks operate across a vast tapestry of file servers, databases and operating systems – and while rapid information flow is vital to their work, safeguarding the sensitive information in a manner that is also compliant presents a significant challenge. Unfortunately, many organizations continue to mistakenly assume that, because they’ve checked off the boxes to meet regulations, they’re safe.
Equally, up till now, many financial organizations, along with businesses in other sectors, have focused on external threats while ignoring employees and contractors. As our research reveals, with insider-related fraud up 43 percent in 2012, a new way of thinking is urgently required.
Unsurprisingly, given the wealth of sensitive data stored and the ‘interconnectedness’ of financial institution networks, they represent a prime target for APT-hackers. Moreover, the simple encryption stipulated by data payment protection mandates for compliance purposes does not cut it in defending against this type of attack. While it does encrypt, it lacks policy control which is vital to protect against the rise in privileged user exploitation – if user credentials are compromised, an attacker can view what they can view and the encryption in place becomes useless.
What’s to be done? Short of replacing staff with in-house machines, a new technique and approach to defense is needed. To neutralize risk, financial institutions need to look to solutions that gather security intelligence about what is happening to data and that equally limit the amount of data their employees can access. In doing so, they are safeguarded against an inside job, effectively making them a worthless target for perpetrators of APTs.
Officials must start thinking beyond basic compliance and embrace holistic security best practices to protect from data breaches while also ensuring control of the data. That said, applying security best practices will ensure your organization is well on its way to addressing a large percentage of both compliance requirements as well as the evolving security threats.