By Oscar Escayola Kaloudis, EMEA Flash Business Manager, Kingston Technology
Banks and financial institutions are responsible for managing sensitive information every day and across every aspect of the services they provide. Applying good practice to the security of personal financial information is a legal requirement that financial services companies take seriously. The consequences of data loss, a breach, or mishandling can be financially and reputationally severe.
For cyber criminals, however, these organisations are a prime target. A study conducted by the Bank of England last year found that cyber-attacks were the biggest risk to the UK financial system in both the short and the long term, higher even than geopolitical pressures and the risk of soaring inflation. The rewards for attackers are rich: corporate data, IP, bank logins, credit card details and transactional records that quickly allow data to be plundered for nefarious means.
For many financial organisations, the prevalence of cloud presents a further risk. Within the same article, communications regulator Ofcom, goes on to state that: “The Bank of England, the Financial Conduct Authority and the Prudential Regulation Authority are considering the systemic risks that the reliance of UK financial institutions upon a small number of cloud providers raises to the stability or market integrity of the financial system of the UK”
Financial companies already have data loss prevention strategies in place, but these need to be well equipped and constantly updated. Hybrid working practices are now well established, and employees are travelling again which means extending security far beyond the traditional corporate perimeters, like the cloud.
To help counter this, many financial organisations look to “air gap” data, so have turned to the use of USB drives and other storage devices to transport data, whether that’s between offices in the same city, from an office to home, or from country to country. Without proper protection, however, information can easily be extracted by cyber criminals if these devices are unencrypted. In fact, even those encrypted with a software solution will not withstand a brute force attack (repeated attempts at breaking a password) with the ability to crack common passwords in moments, and more complex passwords in hours, or a few days at most.
Hardware encryption will help resist attacks
While it might sound extreme, banks, finservs and fintechs alike now need enterprise-grade, at a minimum, but preferably, military-grade drives, built to resist even the most dangerous and determined cyberattacks, if they are to keep sensitive financial data secure during transportation.
Our recommendation would always be drives, such as IronKey, that are hardware encrypted. Encryption of a USB drive can be performed on either the hardware or the software. With hardware-based encryption a dedicated processer is physically located on the drive which contains a random number generator to create an encryption key. This can be opened with the user’s password. Software-based encryption shares computer resources to encrypt data with other programs on the computer and the user’s password is the encryption key that scrambles data. This means that the encryption is only as safe as the computer.
Enterprise-grade drives are designed for use by organisations and professionals. They are certified by FIPS 197, the standard which ensures the drive has been correctly implemented with AES encryption algorithms to deliver a high security level. As the title suggests, military-grade drives are ordinarily used by government, military agencies and high-level employees for the storage and transport of sensitive and high value data. The standards in these drives, such as FIPS 140-2 and FIPS 140-3 will ensure the drive can resist both digital and physical tampering.
These drives have a built-in microprocessor that can detect multiple attempts and perform a crypto-wipe before a hacker gains entry. Military-grade drives feature a tamper-resistant epoxy construction making it virtually impossible to attack the components without destroying the drive and the encrypted data it contains
Data transported overseas
There is another, often forgotten element, to transporting data. International travellers working for financial organisations can be asked to unlock their devices and submit to them being imaged if they arrive in certain countries. With a laptop or mobile phone, this can mean potentially breaching confidential client data, or their own company’s intellectual property. Using a hardware-encrypted USB drive, however, delivers more data protection than either a phone or a laptop, and if it is retained by the authorities, users can be confident that the stored data will remain protected and inaccessible.
The assets handled by banks and financial services companies cannot only be valued in terms of cost. Financial and corporate data is essential to their operations, and with cyber-attacks increasing in frequency and volume, decision makers need to invest in the right protection mechanisms.
Employees are no longer exclusively office-based, they are on the move, and that means customer data is on the move too. By securing it with hardware-encrypted drives, finservs, whether they operate in one country, or span continents, are granted with a relatively inexpensive way to minimise risk and ensure the safety of the information with which they are entrusted.
