Indian Banks: Tips to Prevent Breaches and Stay Compliant
The cybersecurity vulnerability of banks is high worldwide, as the business environment is continuously changing and new threats emerge every day. DLP solutions can help in protecting sensitive data and meeting compliance requirements.
Cybersecurity Trends of Banks
Banks worldwide face a big variety of web security risks, being among the most heavily targeted institutions. Due to the large amount of customer data they handle and to their financial assets, banks become natural targets for both cyber criminals and malicious internal actors. In today’s constantly changing cyber environment, when exploitation activities are getting more sophisticated, more targeted and more serious, in the absence of an in-depth defense strategy, being breached is no longer a question of “if” but “when”.
In the case of banks, the situation is even more complex as they have to comply with an increasing number of global, regional and local regulations. Failing to comply or having been breached can result not only in serious financial losses and fines, but it can damage the institution’s reputation and erode its customers’ confidence as well. As a result, banks should regard the protection of their sensitive data not as a compliance mandate, but as a responsibility vital for their success.
The State of Things in India
In India cybersecurity measures for the banking sector have also seen improvements during the past years. In the wake of a rising number in cyber-attacks, the Reserve Bank of India (RBI) has published not only a set of guidelines, but they have also started to conduct cyber-audits. The Cyber Security Framework in Banks circular published by the regulator in 2016, underlines the need to put in place a robust cybersecurity framework, including among others a board approved cybersecurity policy, a cyber crisis management plan, the protection of customer information and performing compliance assessments on a continuous basis. A data leak prevention strategy is also prescribed, which should include data in motion and data at rest, as well as data processed in endpoint devices, in order to help safeguarding sensitive business and customer information.
The RBI states the following in their annual report, published in July 2018: “With the emerging threat landscape, where organised cybercrime and cyber warfare are gaining prominence, the Department is working towards ensuring continuous protection against the changing contours of cyber security threat.” As security breaches related to banks keep making headlines, an enhanced security mechanism is part of their agenda. This aims to provide high-level protection against cybersecurity threats, including efficient steps to create a cybersecurity culture, endeavor to make cybersecurity a responsibility, and ensure the CIA (confidentiality, integrity, availability) triad.
The first draft of the Personal Data Protection Bill was also submitted in July 2018 by Justice Srikrishna Committee and it intends to change the way privacy is perceived and practiced within Indian businesses. The Bill follows the framework of the GDPR and integrates legal frameworks from other countries as well. It prescribes how organisations should collect, process, and store citizens’ data; it essentially makes individual consent central to data sharing. In case of a data breach, institutions would face penalties similar to those under the GDPR.
How DLP Solutions Safeguard Banks’ Sensitive Data?
A Data Loss Prevention (DLP) solution, such as Endpoint Protector can help banks monitoring and preventing sensitive data from leaving the company environment. Apart from providing solutions to prevent internal and external threats, it also helps in complying with international regulations, like PCI DSS, NIST 800-171, GDPR and national ones like the RBI Circular – for which penalties can be quite severe.
Control Removable Devices
In the Baseline Control section of the Cyber Security Framework in Banks the following requirements are stated for Removable Media:
“12.1 Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including but not limited to workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use.
12.2 Limit media types and information that could be transferred/copied to/from such devices.
12.3 Get the removable media scanned for malware/anti-virus prior to providing read/write access.
12.4 Consider implementing centralised policies through Active Directory or End-point management systems to whitelist/blacklist/restrict removable media use.
12.5 As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorised for defined use and duration of use”
Device Control is an important feature of Data Loss Prevention solutions which helps prevent data leaks and data losses due to employee negligence or malicious intentions. This feature allows full control of peripheral ports and connected storage devices, including managing the rights of each device and restricting unauthorised media connections thus protecting sensitive data from leaving the company; it also allows monitoring, controlling and generating reports about data transfers. With Device Control banks can reduce the risks of malware attacks and minimize risks related to BYOD (Bring Your Own Device).
Protect Sensitive Data in Motion
Content Aware security is another important feature of DLP solutions and it is and efficient solution to control what data is allowed to be transferred. Sensitive data can be better protected by being aware of its content. The Content Aware Protection module increases the visibility of sensitive data, by inspecting its content and based on the company’s policies, transfers of important documents can be logged and reported as well as blocked. It can be applied for removable devices, applications like Outlook, Skype, Google Drive and Dropbox, webmail and others.
Encrypt Confidential Data
A third important feature of DLP software is enforced encryption, which ensures that confidential data will not get into wrong hands due to unauthorized access, lost or stolen devices. The best DLP solutions safeguard data stored on computers, on cloud storage and on USB devices and provide safe transfers.
Scan Sensitive Data at Rest
The eDiscovery module scans sensitive data-at-rest, residing on computers, shared file servers and in cloud storage. It can help in protecting confidential information and minimizing data loss risk.
Taking into account the rising number of both internal and external threats, it is clear why significant growth in the demand for data loss prevention (DLP) measures and solutions can be observed. Banks handle huge volumes of Personally Identifiable Information (PII) and Personal Credit Card Information (PCI), as well as intellectual property, and there is a need for increased security awareness and proactive security.
Endpoint Protector is an award-winning Data Loss Prevention Solution for Windows, macOS and Linux as well as for iOS and Android mobile devices. Its main features include Content Aware Protection, Device Control, Enforced Encryption and e-Discovery. Endpoint Protector was recognized in the 2017 Gartner Magic Quadrant for Enterprise Data Loss Prevention and the Radicati Group’s Enterprise Data Loss Prevention Market Quadrant 2017 and 2018. It is certified with Common Criteria EAL2 and won the 2018 and 2017 Cybersecurity Excellence Awards in the DLP category.