Financial institutions are targets for hacking due to the large amount of personal, sensitive data that are stored on their networks. You need to ensure that your systems are protected properly from outside and internal threats. Failure to do so can result in a systems breach, widespread negative publicity, the potential loss of customers and certainly the loss of your job. Malware is a major threat to financial services firms. Understanding what malware is and how it can land on your network is essential if you are going to properly protect against it.
Malware is any piece of software that is put onto your network without your consent and whose purpose is to harm your organization in some manner. The most well-known forms of malware include viruses, spyware and Trojans. Others include keystroke recorders ("keyloggers") and even custom software that an employee may have intentionally installed to mail sensitive data to his personal email address.
So what can you do to protect your financial organization from the threat of malware? The answers fall into two distinct categories: technical tools and policies.
Technical tools
The technical tools are often the easiest to implement, since it's typically a matter of purchasing the right ones and implementing them. Examples include corporate-class antivirus and antispyware software that is installed not just on workstations, but also file and mail servers. Most modern firewalls have built-in antispyware and antivirus capabilities; they just need to be activated in order to do their job. Whichever you choose, it should be current, from a reputable vendor and installed by an individual or organization that truly knows the intricacies of the product. Never accept just the default settings, as they are usually inadequate for any business that values its data.
Email and Web browsing are two of the most typical mechanisms by which malware can be introduced into your network. For example, many email messages claim to come from a trusted source, such as Microsoft or your own financial institution, and will contain either hyperlinks to sites that try to collect your personal information, or attachments that the sender claims are needed to patch your computer. Similarly, websites will often try to deceive you into thinking that you have spyware and will contain a link for you to scan and clean your system, when the fact is that your system was already clean and the software that you will be downloading is the actual malware! This is where training is very important.
Along with the tools such as firewalls, antispyware and antivirus, it is critical to educate users about the threats and what they can do to mitigate them. To continue with the previous example regarding fake patches from Microsoft, users should be reminded over and over again that Microsoft and most other major vendors would never send these updates by email. Rather, they will provide a hyperlink for the user, or preferably the network administrator, to go to the vendor site to manually download the patches.
Policies
Procedural solutions to the malware threat are more difficult to manage and enforce. The weakest point in any organization is often the end-user, and as we all know, placing any restrictions on habits which might inconvenience the end-user can result in an unpleasant workplace. None the less, it is imperative to have these in place to protect your organization.
Two examples of policies include:
Acceptable Use Policy: This is a document that describes what rights employees have with regard to the usage of computer systems. The policy might state, for example, that employees are forbidden to browse gambling or pornographic sites while at work or from any company-owned computer. All employees should sign an Acceptable Use Policy when their employment first begins as well as at their annual performance review. To disregard the terms of the policy can be grounds for discipline or dismissal.
Remote Access Policy: This provides standards for methods and times that employees may connect to the corporate network from a remote location, including from home and/or mobile devices. Remote Access Policies can be enforced technically and are important to have in place as a safeguard against improperly transmitting confidential data to insecure sources.
Having policies alone will not protect a financial institution's network against malware. Rather, they will help to minimize the likelihood that malware will ever become a problem by educating end-users and placing potential consequences on their actions.
About the author:
Brad is a Microsoft MVP in Enterprise Security, one of less than forty worldwide to possess the award in this category. He is also a Microsoft Certified Systems Engineer (MCSE), a Certified SonicWall Security Administrator and a Certified 3Com IP Telephony Expert. He is the founder and president of the National Information Security Group, an active member of the FBI's Infragard program and a member of the Microsoft IT Advisory Council. He holds a Ph.D. in physics to help him determine how long it will take his monitor to be launched across the local highway.
