Cybersecurity Vs. Information Security: Is There a Difference?

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Is there a difference between cybersecurity and information security?

Not only is this a great question, but it’s something we’ve heard many times before. Cybersecurity and information security are so closely linked that they’re often thought of as synonymous. But, there are some important distinctions between the two. Below, we’ll explain those distinctions, review a couple important areas of overlap, and discuss why this differentiation—and the evolution of these definitions—matters in the security sector.

Information Security

Information security (or “InfoSec”) is another way of saying “data security.” So if you are an information security specialist, your concern is for the confidentiality, integrity, and availability of your data. (This is often referred to as the “CIA.”) Most modern business data resides electronically on servers, desktops, laptops, or somewhere on the internet—but a decade ago, before all confidential information migrated online, it was sitting in a filing cabinet. And some confidential information still is! InfoSec is concerned with making sure data in any form is kept secure and is a bit broader than cybersecurity. So, someone could likely be an information security expert without being a cybersecurity expert.

Cybersecurity

Cybersecurity is all about protecting data that is found in electronic form. Part of that is identifying what the critical data is, where it resides, and the technology you have to implement in order to protect it.

Overlap Between Information Security & Cybersecurity

There is a physical security component to both cybersecurity and information security.

If you have a warehouse full of confidential paper documents, you clearly need some physical security in place to prevent anyone from rummaging through the information. And as more data becomes digital, the process to protect that data requires more advanced IT security tools. So, while you can’t put a physical padlock on a desktop computer, you can put a padlock on your server room door. In other words, if your data is stored physically or digitally, you need to be sure you have all the right physical access controls in place to prevent unauthorized individuals from gaining access.

They both take the value of the data into consideration.

If you’re in information security, your main concern is protecting your company’s data from unauthorized access of any sort—and if you’re in cybersecurity, your main concern is protecting your company’s data from unauthorized electronic access. But in both scenarios, the value of the data is of utmost importance. Both individuals need to know what data is most critical to the organization so they can focus on placing the right controls on that data. In some scenarios, an information security professional would help a cybersecurity professional prioritize data protection—and then the cybersecurity professional would determine the best course of action for the data protection. But with the changing security landscape over the past decade, things aren’t always this black and white.

The Evolution Of Information Security & Cybersecurity

Over the last decade, we’ve seen a fusion between cybersecurity and information security, as these previously siloed positions have come together. The challenge is, most teams don’t have an information security professional on staff—so the responsibilities of a cybersecurity professional have expanded dramatically. Cybersecurity professionals traditionally understand the technology, firewalls, and intrusion protection systems needed, but weren’t necessarily brought up in the data evaluation business.

But today, that is changing. As this subject becomes increasingly important for businesses, the role of cybersecurity experts is evolving so they can properly protect data. Business partners and investors are increasingly aware of the importance of this topic, and companies are asked regularly about their effectiveness in securing data and managing risk in both cyber and physical forms.

In Summary

Because of the evolution of this position, it’s easy to understand why many people discuss cybersecurity and information security in the same breath. And, you can see how the questions that information security and cybersecurity try to answer are, in essence, the same:

  1. How do we define what data is critical to us?
  2. How do we protect that data?

Where do you see the industry moving in the next 10 years? Tweet @BitSight with your thoughts.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at www.nafcu.org/bitsight.

5 Pillars of Cybersecurity in Financial Services

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Financial services are one of the best-performing sectors in terms of cybersecurity. BitSight analyzed the data to pinpoint a handful of basic facts, ideas, and principles that make the financial sector so successful at cybersecurity, and outlined those “pillars” below.

Pillar #1: You Have To Meet The Expectations Of Regulations (And Beyond).

Financial services is a regulated sector—and regardless of your feelings on regulation, it does get some interesting results. When you know that someone is holding you accountable and that this party has the authority to fine or potentially shut you down, you know you have to take action. Thus, financial service organizations typically have implemented proper protections and risk management solutions, invested in the right technologies, and hired the best talent.

And while regulations are mostly about compliance, it’s pretty well understood that compliance does not equal security. To properly manage risk (and go above and beyond your fiduciary duty), you need to identify the greatest threats to your organization and focus your time and attention there.

Pillar #2: You Must Have Vigilance In Your Cybersecurity Execution.

Any company could do the bare minimum when regulators come knocking and let things slide when they leave—but that would be a big mistake. Therefore, you need to continue to be vigilant every day, not only when you’re being monitored.

Executing consistently takes both training and resources. Part of the reason financial service organizations excel at cybersecurity is because of the amount of high-level executive buy-in. The top people in the organization typically demand and expect a strong cybersecurity posture and provide the resources needed to support world-class information security risk management programs.

Pillar #3: You Must Excel At Detection And Recovery.

High-performing financial service organizations recognize that you’re never going to stop every cyberattack. There are too many gaps and too many ways that someone can access and exploit a system. So while you need to excel at protecting your high-value assets and data, you also must excel at detecting security issues and recovering any data loss quickly and efficiently.

Pillar #4: You Need To Manage Risk In The Third-Party Ecosystem.

Many breaches that happen to financial service organizations originate on vendor networks. Financial organizations are keenly aware of risks in the supply chain and the need to properly manage those risks. This is a challenge of scale—how should an organization focus on areas that are of medium criticality and high criticality? This requires an investment of both time and resources; but when you consider the consequences to your data (or your members’ data) if a third- or fourth-party system goes down, it seems the investment is certainly worth it.

Pillar #5: You Should Consider Information Sharing.

Another thing the financial services industry does well is sharing information. The Financial Services Information and Sharing Center (FS-ISAC) is a mature industry forum created specifically for the financial services industry to share regarding cybersecurity in their sector. In it, you’ll find a tremendous amount of collaboration around threat actors and the capabilities of those actors. Members feel that acting in collaboration is better than acting in isolation—which makes membership in the FS-ISAC extremely advantageous.

A Final Note On Cybersecurity In Financial Services:

Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.

But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your members lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at www.nafcu.org/bitsight.

Card Fraud Lessons Exposed

By: Ann Davidson, VP of Risk Consulting at Allied Solutions

Recently Allied Solutions presented a webinar on card fraud in response to the reported increase in card fraud attacks. When polled, 81% of attendees stated they have personally experienced an uptick in card fraud during the last 12 months.

After this webinar, Allied reached out to individual financial institutions to perform an assessment of their risk programs and help uncover potential causes of the card fraud they were experiencing. Here’s what they found:

  1. Financial institutions were seeing increased instances of PIN fraud at the ATM.

Discoveries:

    • A fraud monitoring system (FMS) was not in place for PIN authorizations performed at an ATM.
    • All employees were granted the authority to change ATM PINs when requested by a caller.

Preventive Actions:

    • Confirm in writing from your PIN vendor that you have a FMS in place for all types of authorizations.
    • Ensure PIN change requests are performed using robust authentication measures, especially if you have a voice response unit (VRU); do not give your employees the authority to manually process PIN changes.
    • Review your PIN change reports to see if there is a notable increase in PIN changes.
  1. Financial institutions were seeing high daily dollar amounts on card transactions.

Discoveries:

    • Credit card limits were set at the line of credit for a 24-hour timeframe.
    • Debit signature limits were set to the available balance in the cardholder’s account.
    • Debit PIN limits for POS and ATM were set at $1500 and greater.

Preventative Actions:

    • Confirm you have daily dollar limits for ALL types of transactions.
    • Set your daily dollar limits to suit your organization’s risk appetite and tolerance.
    • Ensure daily dollar limits are set to accommodate the spending activity of your account holders.
    • Let your cardholders know they should inform your organization if they want the daily dollar limit raised to better accommodate their transactions.

The discoveries that were made after communicating with these financial institutions demonstrate the importance of ensuring you have strong security measures in place to help prevent fraud attacks, while at the same time verifying the strength of your card processors’ and vendors’ security layers.

Watch the recording of Allied’s Card Fraud on the Rise: How Financial Institutions Can Help Prevent It webinar, co-presented by Ann Davidson and Tammy Behnke, Program Executive at ProSight Specialty Insurance, to hear more about how you can remain more protected from card fraud.

Hear more about security breaches and learn what your financial institution can do to help prevent and respond to breaches by attending Allied’s upcoming webinar Data Breaches Continue to Rise: How Financial Institutions Can Prepare & Respond on May 4. Click here to register.

Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.

3 Questions for Your Mobile Banking Partner (Part 2)

By: Will Furrer, Senior Vice President – Product Group, Q2  

We pick up this blog series, addressing the last two questions your credit union should be asking a digital strategy company when developing a mobile banking plan.

Check out Part 1 of the blog series here to learn about the importance of providing a consistent experience on mobile.

Question 2: How does security work for the mobile channel?

Mobile security is a becoming more and more critical every day.  Due in large part to the fact that today’s mobile devices are essentially hand-held computers. As such, the risk of device compromise is something every member, and you as a credit union, should be keenly sensitive too.

Because of this, the security of your mobile banking solution can’t simply be the ‘latest and greatest’ protection available; it must be ahead of the times – using advanced techniques only behavioral modeling and machine learning can support.

Interconnectivity & Behavioral

Mobile banking is not the only type of digital banking your members will do, therefore, it is critical that your mobile security be part of a holistic view of each member’s behavior within your entire digital banking ecosystem.

A comprehensive picture of members’ behaviors across all your virtual channels, which answers questions such as: What operating system are they using for their banking? What time of day do they usually do their banking? What do their typical movements through the application look like?

The power of interconnected solutions – or better yet – of a single platform solution, are very much aligned with credit unions seeking to be the most trusted, secure brand their members engage with. 

Click for Q2 Case Study — Efficiency

Question 3: Does your mobile banking application provide support for commercial banking members?

As the majority of forward leaning credit unions seek to meet their members where they are, the need for small business features and functions available via the mobile channel is becoming increasingly important. Small businesses—a.k.a. SoHos— are making their way into the households of millions of Americans every year, who prefer to bank with a credit union due to the service, support, rates, and connection to the community where they live and work. However, neglecting their mobile business banking needs will in fact put the business of these profitable households in jeopardy over the coming years.

Feature / Function

Small and medium businesses (SMBs) require access to ACH for payments and payroll. Sometimes it’s only a few people, but more and more frequently SMB owners are using their personal accounts; meaning they are moving larger and larger amounts of money to more and more employees or contractors.

The great news is: your credit union can work with the SMB’s relationships to provide accounts for these potential members. It’s a win/win.  A win for the owner of the SMB—who is now able to manage their payroll via their mobile device, as well as approve wires and draft payments, which is what they expect from a progressive credit union like yours. And a win for your credit union in the form of new members.

Conclusion

Above all else, offering a business banking solution via mobile devices will provide your members the same freedom they have come to appreciate with your retail banking products—expanded to where they make their living, not just where they check their balances. Mobile commercial banking access is a clear separator for innovative credit unions, one that will benefit you and your members.

 

Q2 is the NAFCU Preferred Partner for Single Platform Virtual Banking Solutions—Including Online and Mobile—for Community and Regional Financial Institutions. Learn more about Q2 by visiting www.nafcu.org/q2.

3 Questions for Your Mobile Banking Partner (Part 1)

By: Will Furrer, Senior Vice President – Product Group, Q2  

With the ubiquity of the mobile-first member, implementing a mobile banking solution should be a top priority for your credit union. In this blog series, we will address the top three questions your credit union should ask a digital strategy company when developing a mobile banking plan.

Question 1: Does your mobile digital experience mirror your online channel?

People say the mark of a true champion is consistency. The same is true for mobile banking. Although mobile banking is seeing rapid adoption and growth by credit union members, it’s not projected to actually outpace interactions via the desktop until the year 2020.

The ability of your digital solutions vendor to provide a consistent experience—from data to workflows to functionality—should be high on the priority list as you make your selection.

Data Consistency  

When discussing mobile strategy with a possible partner, it’s important to ensure that all of your data is consistent between devices. When making buying decisions for a mobile banking partner, this attribute is often overlooked.

The accuracy of the data across devices—desktop, laptop, tablet, and mobile phone—is critically important. Without consistent data, you risk eroding the brand you work so hard to promote with your members; confused and frustrated members aren’t generally good brand promoters.

Consistent data across devices is table stakes for today’s multi-device member. Earn their trust, solidify your brand, and grow your digital channel strategy with consistency at its core.

Click for Q2 Case Study – Flexibility 

Dependable Experience

The branch used to be the central touchpoint for most credit unions. Today, however, more interactions are happening outside the branch than ever before.

Providing a dependable brand experience on any device, anytime, that’s in line with what your members need and desire, should be paramount in your decision making. The language and workflows your members are accustomed to on their computers should mirror that of their mobile devices.

The same care should be taken with the digital experience you provide your members, as the care you demonstrate when members are in the lobby of your credit union.

Click for Q2 Case Study – User Experience 

Reliable Functionality

Finally, where the rubber meets the road is with functionality. What members want is the ability to do everything they can do online on their mobile devices. Scheduling bill payments, aggregating accounts, categorizing expenditures and setting language preferences – all the value they’re afforded on their laptops and desktops, they also demand on their mobile devices.

Strengthen your credibility with your mobile members by ensuring they have access to all the features and functionality they have on their desktops, with a mobile banking tool that has the reliable functionality they can count on.

Click for Q2 Case Study – Brand/User Experience 

Look for Part 2 of our blog series for Questions 2 & 3 of what to ask your mobile banking partner, and to learn about implementing a mobile strategy.

 

Q2 is the NAFCU Preferred Partner for Single Platform Virtual Banking Solutions—Including Online and Mobile—for Community and Regional Financial Institutions. Learn more about Q2 by visiting www.nafcu.org/q2.