President Obama has unveiled a cybersecurity national plan to update aging government networks and boost security awareness. The plan is the White House's response to the last epidemic of data breaches, in both the public and private sectors. The President wants to put aside $3B to modernize the patchwork of computer systems used in government agencies. "It is no secret that too often government IT is like an Atari game in an Xbox world" declared the President.
After all, hackers have a lot of fun exploiting the holes in public networks. Last year data from 20mm federal employees and contractors leaked from the Office of Personnel Management. The private sector is also exposed. Newspapers and magazines are full of horror stories about people who are victims of massive cyber attacks.
Financial institutions are on the alert too and are certainly not immune to hackers' malevolence. To strengthen your practices, consider going back to the basics. Eliminate and take offline any and all data that is not necessary to keep on servers. If it isn't on the server it can't be stolen no matter how sophisticated the foe you are facing.
Start with personally identifiable financial information. This is defined by the FFIEC as any information a financial institution obtains about a consumer in conjunction with providing a financial product or service. The FDIC defines this further as any information about an individual which can be used to distinguish or trace that individual's identity, such as their full name, home address, email address (non-work), telephone numbers (non-work), Social Security Number (SSN), driver's license/state identification number, employee identification number, date and place of birth, mother's maiden name, photograph, biometric records (e.g., fingerprint, voice print), etc. This also includes, but is not limited to, education, financial information (e.g., account number, access or security code, password, personal identification number), medical information, investigation report or database, criminal or employment history or information, or any other personal information which is linked or linkable to an individual.
Then, compare what you have to what is publicly available. This type of information is defined as information that a financial institution has a reasonable basis to believe is lawfully and publicly available from sources such as: public records, widely distributed media, and government-required disclosures. This comparison should result in areas you should focus on and move immediately to remove where possible and heavily encrypt where not possible.
There are lots of ways the bad guys can get into your systems and many in the IT world would say they are probably already there just watching and waiting to strike. That's why we suggest moving to a simpler approach of, if you don't need it to be on your systems, delete it completely. Then, if an evil doer gets in, they will only find a handful of sensitive data vs. a bucket full.
In the meantime, continue to train your staff, add security layer upon security layer to better protect you, and monitor activity on all computers in as real time an environment as you can.
Finally, be sure to target what may be your weakest link - your customers. Remind and train them to protect themselves and in turn protect your bank. Good luck and keep playing this game with the best tools you can find.