Create a Holistic Security Policy at Your FI

by CDW Financial Services|Sep 29, 2016

When it comes to protecting sensitive information, are we doing enough? Banks and other financial institutions understand they have a responsibility to keep up with the ever-changing threat landscape to protect their customers’ privacy. But many organizations tend to focus on enforcing cybersecurity safeguards while neglecting low-tech threats.

To best protect customer information, financial organizations need to have holistic security and privacy policies. This entails implementing additional administrative and physical protections that protect all channels of information from unauthorized access, viewing and theft.

A growing physical, low-tech security threat to information is visual hacking, defined as the viewing or capturing of confidential or sensitive information for unauthorized use. In a financial institution, visual hacking can happen in a number of places. It could happen as a customer peeks over the shoulder of another customer as they enter their ATM PIN. It can also occur when employees leave confidential documents on their desks while refilling their coffee. And as workers become increasingly mobile, it could occur when employees check email at the coffee shop or on their train commutes.

A global study published last month confirms the risk of visual hacking. In the Global Visual Hacking Experiment study, conducted by Ponemon Institute and sponsored by 3M, a visual hacker successfully accessed sensitive corporate information 91% of the time.[1] Many of the breached organizations likely spent millions on training and technology to thwart data threats. Yet they were easily infiltrated, most often in less than 15 minutes. As financial institutions look to develop holistic security and privacy policies that address weak links in their organizations, here are several areas to consider:

  1. The People Problem

The weakest link in any organization is often of the human variety. In fact, employee error was found to be the most common cause of corporate system breaches, according to a 2015 Association of Corporate Counsel report.[2] This means security professionals need to take a close look at the people who have access to sensitive data.

Do you have new people to train due to an acquisition? A new partner in the supply chain? Or perhaps a third-party vendor who now has physical access to your building? Spend time identifying the messages, communication channels and incentives that will resonate with each audience segment to test their immunity to risks such as spear phishing and visual hacking.

  1. Scrutinize Your Processes

Employees are the first line of defense against visual hacking, but changing human behavior can be difficult. That’s why processes are so important.

People are working around the clock because of the great burden to be productive. This leads employees to work while in coffee shops, send documents from a hotel while on vacation, or perhaps take a business phone call while meeting at a restaurant.

As these introduce “gray edges” to where things of value are accessed and stored, processes need to provide guidance and real-time training for countless new scenarios.

Are employees working from new locations? Do employees know to shut off Bluetooth when they work remotely? Do they use privacy screens when working in public spaces? Is your organization storing data in new places, such as virtualized servers?

Processes need to address all the places — both inside and outside the company walls — where sensitive data is accessed and stored.

  1. Technology Review

For quite some time, a built-in feature on desktop monitors has helped prevent data leakage to USB ports. Security features such as this are now available in mobile devices, which further protects data regardless of the type of device being used to access it. Meanwhile, network access controls make it possible for contractors and visitors to access the information they need without exposing secure areas of the network that are meant for employees only.

Have you reviewed your digital certificate practices, file integrity management and technical policies to make sure employees can work securely and productively? Do the log-monitoring technologies used in your corporate data centers extend to data in the cloud? Do you deploy secure technology that enforces encryption to USB keys?

To make sure you are doing enough to protect sensitive information, it might be time to take a closer look at the people, processes and technology in your organization.


*Larry Ponemon is a member of the Visual Privacy Advisory Council and receives compensation from 3M in connection with his participation on the Visual Privacy Advisory Council.

[1]Average based on global trials conducted by Ponemon Institute during the “Visual Hacking Experiment,” 2015, and the “Global Visual Hacking Experiment,” 2016, both sponsored by 3M.

[2]One-Third of In-house Counsel Have Experienced a Corporate Data Breach, ACC Foundation: The State of Cybersecurity Report Finds, ACC, Dec. 9, 2015