In light of the recent data breach at Target, IT risk buzz words are swirling the banking industry, and rightly so. The cost of a security breach can cripple any business and, certainly, a financial institution.
The Target breach has cost banks at least $200 million related to card reissuance and increased customer service activity with impacted account holders. So far, there are approximately 80 lawsuits against Target by banks and consumers, in hopes of recovering losses.
You may be thinking to yourself, “Only the largest banks and card issuers have the same exposure to hacking or cybercrime as a retail giant such as Target.” While the largest companies have more PCs, network devices, and people (via social engineering) to hack, organizations of all sizes are vulnerable.
In fact, the root of the Target breach was traced to a 125 employee, privately held HVAC contractor doing business with Target. The contractor was connected to Target’s systems using an EDI-type interface for invoicing refrigeration services. Hackers compromised the HVAC contractor’s IT system and piggy backed into Target's network.
While you can’t control the security of cardholder data outside of your networks, financial institutions can significantly reduce the impact of a large scale breach by implementing a sound risk management program. Such a program incorporates active network security monitoring, vendor risk monitoring and incident response handling.
As a start to assessing your IT risk universe, financial institutions should answer the following three questions:
Continue reading >