The Two-Headed Technology Monster
Community banks are facing a two-headed monster when it comes to IT: 1. Sensitive data has never been under such a direct attack and 2. banks are facing intense pressure to control costs and reduce head count, not increase it.
With so many requirements to meet on information security, privacy, and disaster recovery, many community banks do the best they can and sweat through audits to see if they have to take additional action. According to an American Banker October 2016 report, more banks are eager to reduce head count to help the bottom line. Many community banks are finding ways to do more with a tight budget when it comes to internal IT staffing.
Key Security Needs
While the financial services industry has always been a leader in security and IT; technology changes and the technology demands of the consumer will continue to rise, which means so will the demand for IT and security expertise.
Increases in malware, ransomware, viruses, phishing and social engineering pose threats to banks, small and large.
So what can a financial institution do to increase their security posture while controlling costs?
- Invest in education: Investing more in training your organization in security procedures can help maximize IT investments. Whether that is broad education or specific certifications, investing in training improves the employee security awareness and develops the security expertise an organization relies on for informed decision making. Security training and education can also increase the bank’s credibility with external auditors and bank examiners.
- Review your access controls: You do not need to invest in technology to do this. Start taking inventory of current access controls within your organization. Review your internal controls and ensure the right people are permitted to access the right information.
- Create a Written Information Security Program (WISP): Document your comprehensive security plan, get key stakeholders sign off and track changes over time.
- Assess compliance status: Before facing an auditor, check for compliance with FFIEC and other related agencies and your own information security policies.
- Perform an IT risk assessment: Being aware of the risks is the first step to managing your risks. Ask questions and document your findings. If you have the right expertise, it can be done in-house. Outside help is generally not a large financial commitment and can provide an objective opinion.
Depending on your maturity, your IT staff may be able to perform some or all of these functions. But if you consider reaching out for outside help, either as an additional employee or a third-party firm, be careful in your selection.
Vendor Selection Look Outs
Any vendor you use that has access to your network or data can become your weakest security link. That includes an IT and security vendor, but it also includes the janitorial service, HR or any other vendor.
So what should you look out for?
It’s important to find a vendor that acts as a true partner, not just selling what you need, but is proven, capable and compliant. Some things to consider:
- The firm should practice what they preach. Ask for their WISP or security plan. Ask what frameworks that firm is compliant in.
- Do they ask only questions about your IT systems or do they also want to understand the greater business goal? A good partner will help you prioritize based on your business.
- You don’t want to be a test case. Make sure they have experience in the financial service industry. Experience with clients larger than you can be a good sign: The larger the organization the more stringent the security needs and standards.
- Look for a vendor that can address IT, Security and Applications needs. They’re all integrated, and you don’t want to ignore a vital piece of your security structure.
This blog post was written by Gary Sheehan and featured in the Community Banker
Your IT and security partner should be an extension of your team and present a solution that meets the unique needs of the organization.
Tackle the two-headed monster in a responsible way that makes you feel comfortable. At the end of the day, protecting customer information goes beyond regulations, audits and rules. It comes down to keeping the trust you’ve earned with your customers.
That trust is what will lead to strong future business.