How do businesses like banks keep their data secure, and how do hackers manage to get in anyway?

First, a disclaimer: I’m not an expert on bank data security, never having worked in that sector, but I know about it as I have good colleagues and friends who work directly with bank data security.

The easy part to explain is the attackers—I hate the word hackers. They largely get in via social engineering or by exploiting human weaknesses, which includes phishing (stealing personal information by masquerading as a trustworthy entity), determining weak passwords, just asking account holders for sensitive information, and so on. Worst of all, there is the insider.

All these things show the overall sad state of security today. Customers are still largely misinformed on basic computer security and often quite frankly don’t care enough about security. Banks aren’t much better, either. Part of this is due to the fact that it is much easier to be the attacker than the defender when it comes to secure data. How businesses like banks keep their data secure varies, and the answer is often based on the size of the company. Typically, the smaller the firm, the worse the security, because of limited financial resources and the lack of basic understanding of computer security. Mom-and-pop businesses are hit all the time. Larger firms, especially the financial companies, place greater emphasis on data security. They do this through a number of technical and non-technical mechanisms.

Non-tech mechanisms include shredders, privacy screens for computer monitors, employee training and implementing existing laws. For example, federal laws mandate that certain businesses and institutions protect the security and privacy of personal data, including the Health Insurance Portability & Accountability Act (HIPAA). The Gramm-Leach-Biliey Act requires that financial companies explain their information-sharing practices to their customers and safeguard sensitive data. Any business that works with payment cards should also follow the Payment Card Industry Data Security Standard, which concerns safeguarding privacy of personal information. Adhering to it is mandatory in Massachusetts.

Technological solutions include firewalls, access control systems, intrusion detection systems, reporting and monitoring software and so on. Big institutions, especially financial firms, spend billions on security, but how effective they are is another question. They are just solutions, which means people will always find a way to defeat them or otherwise get around them.

One thing I am happy to see is that many companies and institutions are putting greater emphasis on building good and secure software in the first place, instead of relying on software security solutions after the fact.

This is something I do in my software engineering class: make students think about how an attacker can break into the software, and then make sure they account for those attackers. Unfortunately, too many software engineers still don’t think about security or about the bad guys. That’s the reason why so many software applications don’t work as intended, fail, require patches and are exploited by attackers (see Windows).

Submit a question to “Ask the Expert”