Security considerations for modern branch technology
As branch networks evolve from brick-and-mortar transaction centers into technology-friendly customer interaction spaces, banks must also be diligent in their work to update their security strategy. A 20th-century security plan won't protect a 21st-century branch network. Unfortunately, there's no universal approach that will work for every institution. "Any time you're adding new technology or moving to something new, there's no easy answer," said Randy Phillips, vice president of security management at Thompson Consulting Group, LLC. "It's really a case-by-case basis because it depends on how much technology you're adding." Instead, bank security officers should align their current strategy to their branch network with a close look at their vulnerabilities from a holistic perspective.
Adopt a Holistic Perspective
Modern branch networks are less a collection of separate buildings and more a true network, a group of interconnected pieces working in tandem. Therefore, updating the security strategy to accommodate modern networks requires a perspective shift. "It doesn't require changes so much as it requires looking at security concerns from the past in a different way, as an ecosystem rather than as separate pieces," said Jim Stanger, FI solutions team leader at Edge One, Inc. "You need to look at your security more holistically." Protecting innovative branch networks that rely on more automation than past models requires reviewing security in a new way, according to Barry Thompson, managing partner at Thompson Consulting Group, LLC.
That holistic view necessitates an understanding of how each piece of the network interacts with the others, whether it's an ATM at a remote location, a complimentary Wi-Fi connection, or a new mobile app. "Any time you're looking at new technology, you need to look at the interoperability, how all the parts will work together," said Phillips. "Research it and spend the time to choose wisely, because the last thing you want is to make a purchase and then discover that it's not as efficient as you'd anticipated or it opens you up to new vulnerabilities you hadn't expected." Bank security officers must identify and defend against new and transforming vulnerabilities related to both physical security and information security, and the best way to do so is to evaluate current security from the perspective of a criminal. "Everybody's probably heard it before, but any situation where you're the security officer you have to think like the bad guy," Phillips said. "What are they doing and how are they trying to do it?"
With today's rapidly evolving technology landscape, keeping up with the industry is vital for information security, which is one of the most common security concerns today, according to Dawn Staples, president/CEO of Superior Savings Bank. "These concerns evolve as quickly as the previous vulnerability has been addressed. Maintaining an effective information security policy that is frequently updated and followed, along with a vigilant eye on emerging trends is essential." An ongoing system for monitoring and improving security is especially critical as the machines banks use to deliver services to their customers become more complex, such as video ATMs and interactive teller machines. "Protect the terminals today but also have a system for protecting them on an ongoing basis," Stanger advised. Having a system in place to regularly install security updates is vital, as modern machines are far more complex than their past counterparts. "These solutions are just as much software as they are hardware, today," said Stanger, referring to ATMs.
Even entirely digital system components such as Wi-Fi and electronic banking products should be reviewed and monitored as part of the overall branch network, since they can become gateways for criminals to access other areas of the network. "Layered security is a primary focus with all of our electronic banking products," said Staples. "Multifactor authentication, firewalls, and VPNs are just a few of the strategies that are commonly used." When it comes to offering internet access to customers, the best protection is to separate it from the connection used by branch network components and internal processes. "If you're providing free Wi-Fi for visitors and customers, you must ensure that the connection is completely separate from the connection used by the bank's internal computers and systems," Thompson stressed. "Otherwise someone in the parking lot can start using your internet." The good news is, safer and more secure technology is developed as rapidly as criminals find ways to exploit current technology. "As technology advances, additional protections are available for personal transactions, whether it's banking or any other cloud-based activity," said Staples.
When it comes to physical security, a holistic perspective requires banks to consider how the new devices impact customer safety, even as they provide additional convenience. "The biggest change is to give more consideration to the fact that we're moving some of our security exposure to the customer," Phillips said. He explained that self-service machines such as interactive ATMs place the responsibility for cash handling on the customer, and many people still don't trust machines to dispense the correct amount. "They're still going to stand there and count the money," he said. "So, look at the surroundings."
This customer-centric view also applies when considering the physical layout of the branch, including the placement of teller pods (if they are being installed). "The size of the teller pod and how you position it within the branch creates issues for physical security," said Thompson. For example, he cautioned banks against positioning pods in such a way that would allow customers to view the computer screens on nearby pods, potentially revealing other customers' account information. "It's crime prevention through environmental design," he explained. Fortunately, as with many information security components, improvements are constantly being made to the physical elements of branch networks. "Many of these new technologies have self-monitoring capabilities, detecting skimming devices on ATMs, for example," Phillips said.
One thing that hasn't changed, and isn't likely to: prevention and preparation are critical elements in an effective bank security strategy. "Vigilance for what's happening today, with an eye for what's happening tomorrow," said Stanger. "It's best to buy umbrellas before it starts raining."
Edge One, Inc is a WBA Associate Member