There is no doubt that security and compliance are top-of-mind for financial institutions, and for good reason.
The security landscape is sprawling with threat actors, from malicious and unwitting insiders, hacktivists that rally behind a social cause, well-funded and sponsored industrial espionage and nation state actors. Prolific and sophisticated criminal organizations trade and barter for malware and exploits to monetize customer data.
These include new and evolving malware hybrids like GozNym are designed to steal consumer bank account credentials. Older malware platforms such as Dridex are expanding into ransomware. When combined with phishing, social engineering, and credential harvesting, financial institutions are thrown on the defensive.
Let’s take a look at what has left credit unions and banks, as well as investment, lending, and insurance companies so vulnerable and what can be done to shore up defenses.
- Security is challenging: There are simply too many attack vectors; both internal and external threats and risks: unmanaged BYO, default browser implementations, co-mingled admin access, third-party network access, and Shadow IT to name a few. Even after following best practices and keeping up to date on patches, assessments, and compliance, being right 99% of the time still leaves them open to attacks from highly-skilled and persistent attackers.
- Technological innovation: Innovative and disruptive technologies, like mobile and cloud, have created a hybrid matrix of disparate solutions coupling legacy systems with bleeding edge solutions and have expanded the security perimeter while making it more porous. With the impending growth of IoT, the perimeter will continue to expand and erode.
- Business Trends: Workforce mobilization objectives such a flexwork, workshifting and remote work have led to a proliferation of devices and endpoints no longer under IT control. Endpoints are moving from the traditional trusted network to insecure home, coffee shop, and airport networks.
For financial institutions, which have been the target of criminal enterprise and malware for years, security assessments, auditing, and regulatory compliance are par for the course. A more recent addition has been the FFIEC audit. It’s a formal examination that occurs on average every three to 12 months at every financial institution in the United States. Audits vary slightly for banks vs. credit unions and De Novo (<5 years) institutions are audited more frequently. Audits include grueling reviews of current infrastructure and extensive documentation.
The FFIEC is an interagency council that drives awareness and provides audit guidelines to help make financial institutions less vulnerable and more resilient to cyber-attacks. It shares information to prepare for and respond to cyber-attacks that for example, involve extortion, compromise user credentials, and use malware. It also publishes the Information Technology Examination Handbook and the Cybersecurity Assessment Tool used in auditing.
The auditing guidelines prescribe security controls for several domains including: Authentication, Network Access, Operating System Access, Remote Access, Security Monitoring and Access Rights Management. These security controls map well to the Citrix philosophy of secure delivery of apps and data with the goal of enhancing IT and security operations to reduce risk.
Over 400,000 organizations depend on Citrix to run their businesses. Many of them—including those dealing with highly sensitive information—leverage Citrix to deliver comprehensive and secure access to apps and data.
This includes thousands of financial institutions around the world who rely on Citrix technology solutions for banking and financial services IT to drive efficiencies and security compliance, as well as the top 10 largest global banks, global investment companies, global property and casualty insurance companies, and life insurance companies worldwide.
Citrix supports best practices for risk management across five key pillars of enterprise security:
- Identity and Access: Gain the controls needed to ensure appropriate levels of access based on the user, endpoint, network and security profile of every individual inside and outside your organization.
- Network Security: Provide encrypted delivery of applications and desktops to employees and third parties, enforce network access control and segment networks for compliance and security, and deliver the highest level of service uptime and performance.
- Application Security: Centralize application and operating system patch and configuration management, provide secure access to organizational resources even from employee-owned devices and protect against zero-day and denial of service attacks.
- Data Security: Prevent data from residing on endpoints by keeping it in the data center, address insecure mobile data storage with containerization and data encryption, and ensure secure file sharing.
- Monitoring and Response: Gain the ability to triage user performance degradation and quickly identify the source, rapidly detect misconfigurations and attacks, better comply with regulations and reduce the scope of audits while ensuring uptime and performance.
For more information on Citrix solutions and use cases, please visit Citrix.com/secure and watch our on demand FFIEC and Citrix webinar: REGISTER