This article originally appeared in the March 2024 issue of Security Business magazine. Don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter if you share it.
While not a new vertical, the challenges and needs of the banking and finance industry are constantly shifting, and integrators are often looking for new strategies to combat evolving threats.
A panel of security vendor experts took a closer look at these technologies and tactics during a recent Virtual Security Showcase Tech Talk roundtable. The panel included Ronnie Pennington of Altronix, Kurt Measom of Boon Edam, Skip Burnham of Dortronics, Mark Evans of Sielox, and John Gallagher of Viakoo. Here are some highlights:
Why is layering security solutions important for banking and financial customers?
Pennington: We are talking about the physical security of facilities and buildings, but with banks, think about the need for multiple layers of consumer protection from a cyber perspective. For example, I called my bank earlier today and I had to enter an access code and then a four-digit PIN before speaking to a representative, and when I got a real person on the phone, I had to give them my code word verbally before they would access my account. It is no different when it comes to physical access and the importance of layering security solutions.
Measom: Layered security solutions are great, but as we know, any single layer of security can have flaws, which is why having multiple layers of security is a benefit. Secured entry solutions can provide varying levels of protection for various areas within banks, including teller areas, server rooms, safe deposit boxes, and safes. This allows both customers and personnel to move about in the specific areas where they should have access while ensuring high levels of security in protected areas.
Burnham: Almost every one of our financial customers now uses interlock controls as part of their overall layered security systems. Integrating these solutions into layers greatly enhances overall safety and security.
Gallagher: Layering is not just related to physical security, but also the IT side – the cybersecurity side of the security equation. People are trying to penetrate and breach organizations on both the physical and cyber side, so it is important to make sure you have layers of physical and cyber security in place, and make sure you have testability. The products need to work as intended and have visualization of how they are working, plus the ability to check to see if something goes wrong. Security professionals in the financial space need to address both sides of the security equation.
How can security technologies address compliance in the banking and finance industry, such as recording transactions at ATMs to creating transactional audit trails?
Gallagher: Compliance is becoming more prevalent in every industry, but especially in banking, because of the various levels of regulators and many specialized services such as wire transfers that demand special security requirements. Compliance is critical to sustain operations, and when a breach occurs, the immediate question that is asked is “How did it happen.” The answer is typically that some aspect of compliance was not abided by and subsequently failed.
We recently saw that the FCC’s X social media account (formerly Twitter), which offers two-factor authentication as a standard capability, was not being used and created an easy attack surface. The two-factor authentication should have been implemented, but it was not, which should surely be labeled as a compliance breach at a federal agency. The best way to ensure compliance is to use a digital twin of your system to track and maintain detailed records of all system operations. This is especially critical in the banking industry.
Pennington: Compliance is vital in the banking industry from a power and data distribution perspective – particularly where the products come from, and if they are vulnerable to any cyber issues when deployed with remote control and monitoring capabilities over a network. If you are required to maintain certain specifications like UL to be compliant with local building codes or from the FCC, FTC, or any other three-letter acronym agency, your foundational power and data distribution devices must meet a host of specified requirements.
Burnham: The payment card industry has a security standard that requires all emergency entrances to be fitted with mantraps or interlocks. This is an application you normally wouldn’t think of in this industry but one that makes perfect sense today.
Measom: Layered solutions – like security entrances and access control software – provide a means of auditing who has accessed specific areas within a facility, when they accessed them, and if they physically entered an area. These are all important data points for record-keeping for compliance audits.
How do systems with remote management functionality impact cyber hygiene and physical security for banks?
Pennington: Any device connected to a network represents a potential attack surface for hackers. To help prevent this from affecting foundational power and data transmission devices with network management capabilities, the products should undergo third-party penetration testing. If any vulnerabilities are found, the product goes back to engineering to eliminate the threat surface.
Gallagher: We did a survey recently that found that most organizations have functionally entered inter-departmental coordination of IoT security. With physical security professionals typically having the largest collection of cyber-insecure devices within their organizations, they often have a lead position when coordinating and discussing cybersecurity measures. Physical security brings a currency to the discussion in the form of data. All the solutions and devices discussed today are generating huge volumes of data that organizations might find of value when looking at various IT, physical security, and business operations. Another consideration is that procurement personnel can benefit from this data as well in determining if new device purchases have been penetration tested and are safe for deployment with the latest firmware and password protections.
With insider threats a risk for the banking industry, how can security technology help alleviate these threats?
Evans: Access control management systems can capture and generate real intelligence to help detect insider threats. An example would be detecting abnormal access patterns such as attempting to access restricted areas or attempting access at odd hours. This makes it easy to detect patterns that may otherwise go unnoticed and could potentially lead to security breaches. It is also most important to emphasize to customers and systems integrators that they are applying fundamental protections like Low-complexity Secure Delivery Protocol (LSDP) and secure communications to ensure they are addressing some of the simple ways to discover bad actors and mitigate risks at their bank and financial institutions.
Measom: Managing and documenting access activities to and within banking facilities can help prevent insider threats. Secured entry solutions can come with multi-factor authentication to help prevent tailgating or piggybacking when accessing protected areas with sensors. This can be applied to many areas within a banking facility including access to vaults, safety deposit boxes, and data centers.
Learn more about Virtual Security Showcase Tech Talks at https://virtualsecurityshowcase.com/tech-talks.
Paul Rothman is Editor-in-Chief of Security Business magazine. Email him your comments and questions at [email protected]. Access the current issue, full archives, and apply for a free subscription at www.securitybusinessmag.com.
