These days, a bank can live or die on its network. It books all its business over the network, so the network must be secure and it must be fast. It’s not enough for the bank simply to protect and monitor its network, it must also regularly speed up its network by resolving degradation.
North American bank networks are among the most target-rich environments in the world. Those networks transport sensitive financial data, each packet containing enough information to compromise bank customers if intercepted by cyber criminals. Smart bankers are proactive about such matters. Others are not.
The US Federal Government has required banks to test their business systems and technical controls via Penetration Tests (a.k.a. pen tests). Often, it is the compliance department who drives that process because the risk management section of the Bank’s compliance policy requires they take place at regular intervals.
Until now, compliance routines could only point fingers about IT security. The objective of a pen test is to discover problems before the bad guys do. Finding open ports, poor passwords, unpatched servers and workstations are all important elements of the process. The required pen test, by its very nature, can expose the potential for network performance improvements. But unfortunately, or at least until after a publicized breach, the value of these penetration tests is often seen as passive: it doesn’t add to the asset side of the balance sheet.
Let’s change that perception. Bank IT compliance routines can bring greater value.
Penetration Tests Deliver Network Optimization Findings for Better ROI
DataComm’s Penetration Tests help banking clients do more than just keep the bad guys out. They help the good guys work better and faster. In a very real sense, DataComm’s Penetration Tests lead to better evaluations, protections, and improvements in security and IT investments.
We include report metrics that can suggest dramatic network performance improvements. There are many ways a pen test can help IT admins realize benefits. For example, it can be helpful to bubble up the QOS configuration of an obscure or isolated router.
Other value propositions address reputational risk. While no balance sheet will say it, the bank’s data and reputation add up to substantial equity that deserves the care and attention our Pen Tests offer.
Confidential Findings and Private Recommendations
DataComm findings are held in strict confidence. We protect our report files by state-of-the-art enterprise security. DataComm recommendations are private and come with no heavy eyebrows and pontification.
Banks who have subscribed to other, competitive offerings cannot report the same. One example is the Department of Homeland Security’s National Cybersecurity Assessment & Technical Services (NCATS). Findings from NCATS may be turned over to the NSA, and recommendations come with the full weight of the US Federal Government. Whether they are right or wrong, it’s hard for a Board to dismiss such weight.
We’ve been in the Bank IT business since FIRREA. We know that most banks spend money on compliance because they have to. We know how to work with Risk Management Teams so they can be proactive about the Bank’s systemic integrity. We know that what goes on in the bank’s network stays inside the bank until the Board speaks. We understand how to be reasonable and practical with IT findings and recommendations.
Banks need fully-qualified penetration tests with the greatest ROI. Our commitment is to deliver professional assessments using the latest tools that, when properly used, can even make the bank more money.
When should you get your Penetration Test done? (How Lucky Do You Feel?)
According to the FFIEC’s Information Security Booklet, the frequency and scope of a penetration test “should be a function of the level of assurance needed by the institution and determined by the risk assessment process.”
The “needed level of assurance” is very high these days. Many of our bank clients have seen fit to revisit their determined pen test schedule based on recent (and escalating) cybercriminal activity. They see little protective value in the language of the FFIEC’s guidance should the news media learn of a bank network breach.
Just a few years ago an annual penetration testing schedule was reasonable. Annual security tests would hold up to scrutiny – public or private. That may no longer be the case. Each month can present a new and unanticipated network risk:
- Researchers find and then publish security vulnerabilities throughout the year
- Patches and updates are regularly posted for immediate deployment to computers, servers, routers, switches, mobile devices, even electronic door lock systems.
- External factors can raise the level of what was previously ranked as a low-risk factor (the “Equifax Effect”).
In addition to threats from the outside, new infrastructure or devices the bank may introduce, would require sufficient assessment.
The bank must determine the schedule that best fits its situation. We recommend developing a testing protocol that balances the bank’s distinct IT security priorities with dynamic threat factors. Because our business model suits it, we offer packages to accommodate frequent testing and monitoring of critical assets with less frequent deep dives.
Interested in learning more about how DataComm can help your company with penetration testing services? Click below to request a FREE quote and connect with an expert team member.