Banks Have a Legitimate Gripe Over Data Security
By Sanjay Beri
Until as recently as one year ago, banks denied even using cloud apps. Today we know that’s a far cry from the truth, as they find they have an average of 690 apps per enterprise, with 91 percent of them not meeting critical security standards. But do financial institutions have a handle on data being shared and accessed across the organization?
Truthfully, they’ve just begun to scratch the surface of locating sensitive data located in these apps. In financial enterprises, for every 100 files scanned in sanctioned cloud storage and file-sharing apps, six are found to contain previously-unknown sensitive data, including personally-identifiable information (PII), payment card industry information (PCI) and protected health information (PHI).
Externally, there’s big pressure on banks to satisfy a growing customer appetite for the speed and convenience that apps — especially mobile ones — bring to banking customers. With 52 percent of smartphone owners performing at least one mobile banking transaction last year, the desire is definitely there.
That said, 45 percent of financial institutions were the target of an economic crime last year (the average across all industries is 34 percent), and 11 percent of Android-based banking apps are suspicious or contain malware. Banks know the likelihood of a security event is heightened for their industry, and they also know they are on the hook reputationally should things go wrong. If the financial institutions are still trying to understand their own internal data risks, how can they possibly get comfortable with aggregators, such as Mint.com for example, accessing account holders’ data?
The next logical question is how secure the aggregators are. According to the Netskope Cloud Confidence Index (an index of tens of thousands of cloud apps evaluated on an objective, 45-point scorecard adapted from the Cloud Security Alliance’s Cloud Controls Matrix), 94 percent of finance and accounting apps are not enterprise-ready in terms of security, compliance and privacy. This means they score below a 75 out of 100, or are rated “medium” or below. Looking at several aggregator examples, we identified some common security and compliance issues:
Lack of audit trail and business continuity when disaster strikes
With limited or no auditing of user or data access, banks will have a difficult time reconstructing an audit trail in the event of a security breach or data compromise. Additionally, some aggregators lack critical business continuity features to ensure uptime in the event of a disaster. A published disaster recovery plan and data replication may make all the difference between keeping customer data available and losing everything.
The encryption dilemma
The number one way to protect cloud data — encrypting data at-rest — is sorely lacking in many aggregator apps. Part of this requirement is that the data owner (in this case, the aggregator) needs to maintain the encryption keys. Banks need to know and accept that any encrypted data is encrypted with the aggregator’s keys and not their own, which is tantamount to making the aggregator, and not the bank, responsible for data security.
Missing multi-factor authentication
Some aggregators have a gaping security hole by not offering multi-factor authentication — a method requiring the user to input several separate authentication responses. This makes user accounts more susceptible to compromise, which may put the bank at heightened risk of inappropriate data access or breach.
Blurry data ownership lines
Many aggregators don’t explicitly state that customers own their own data. This is a red flag and could signal that the aggregator will use the information for purposes other than its intended use, ultimately exposing data to untrusted third-parties.
Another huge consideration is not just whether those particular apps are secure, but whether their entire ecosystems are. I recently spoke to the compliance officer of one of our customers, one of the 10 largest banks in the world. His comment brings the problem into stark relief: “It’s not the third-party apps I’m concerned about. We know who we’re dealing with there. It’s the fourth- and fifth-party ones.”
Just as an aggregator sits in a bank’s ecosystem, the aggregator integrates, and shares data, with other third party apps. Take Mint (which happens to be among the most secure of the aggregators), for example. The app has a vibrant ecosystem of apps designed to complement the services it offers customers. Some of these include Betterment (investment goal setting), Coinbase (bitcoin payment platform), and FutureAdvisor (investment analysis and recommendations).
Banks that partner with aggregators need to know not just how secure the aggregators themselves are, but also whether and how those apps integrate with their ecosystem partners, and whether all those other apps have adequate security precautions. Ecosystems are the way business gets done, and knowing whether and how aggregators are sharing account holder data is critically important to an organization’s security strategy. In the end, data security and compliance will ultimately win in the battle of banks versus aggregators.
Discover what IBM Security QRadar can do for your business. CLICK HERE
Article was originally posted here