ATM Security Starts At The Top
by Mike Ruth, ATM Product Manager, Cummins Allison
According to FICO, the number of U.S. ATMs compromised by criminals rose a whopping 546 percent from 2014 to 2015. The consensus is that this surge is due to criminals working to exploit mag stripe card vulnerability before EMV migration in the U.S. reaches critical mass and makes skimming unprofitable.
But even when EMV migration is considered complete, ATMs will still hold cash, which criminals will still attempt to steal. And, given sufficient time, tools and determination, they will eventually figure out how.
Get the Board on Board
Fortunately, any organization can improve its ATM security posture beginning with these steps:
Start with the board of directors and upper-level executives. Given the scope of the potential impact from an ATM attack, security must be an explicit part of an organization’s enterprise risk management strategy; and make sure senior executives have the information and resources they need to properly understand the full extent of organization’s ATM security needs and what it will take to address them. Executives don’t all the technical details, but they do need to be able to quantify the risk in order to commit sufficient funding to enable operational teams to craft an effective security policy that covers all threats.
The Federal Financial Institutions Examination Council also recommends that financial institution boards:
Discuss ATM risks at board meetings to ensure that all board members understand threats, and to keep ATM security constantly in focus;
Consider security-related expenses and tools in the annual budgeting process;
Complete a formal risk assessment; and
Conduct regular — not less than annual — employee training on ATM security.
In fact, 59 percent of financial services businesses are investing in training and education programs to better defend against evolving security threats. These organizations recognize the importance of enlisting employees — and customers — to help maintain ATM security.
Make Employees Your First Line of Defense
Employees, customers, and “soft” IP data remain the top three targets of cyberattacks in financial services.
One of the ways cyberthieves target an FI’s employees and customers is through phishing — i.e., sending unsolicited emails that attempt to get the recipient to click on a link or take an action that will provider the attacker with an opening to inject malware into the organization’s systems and networks.
Phishing remains a top security challenge for the financial services industry, with 31 percent of all phishing attacks targeted at FIs.
Fortunately, informed and alert employees can also be the best line of defense against security attacks. To this end, an organization must:
-Emphasize to all employees the importance of not clicking on unknown emails or ads — even on reputable sites — and be able to recognize bogus emails and ads; and
-Warn employees against using unsecured devices or connecting an unprotected personal device such as a flash drive to company systems.
Additionally, FIs should:
-Establish a formal security training program for all employees;
-Instruct employees to inspect ATMs for physical anomalies whenever they use them; and
-Establish and communicate policies regarding unsolicited emails.
Enlist customers, too
Today, almost everyone is aware of security and data protection, and ATM scams are regularly documented in the media.
Still, it’s important not to allow others to dictate the message your patrons receive. Communicate with your customers and let them know that you are continually working to make your ATMs more secure. Some FIs use ATM idle screens to convey anti-skimming messages and to remind users to check for foreign devices on the ATM.
While you don’t want to raise undue fears or concerns among ATM users, you do want them to know that you understand potential threats and have taken the necessary measures to ensure ATM security.
Don’t wait until you’re on the defensive, either. Let your customers know upfront what you’re doing and enlist their support.
Plan For Contingencies
In the event that an ATM security breach does occur, proactive planning can save valuable response time and lead to faster containment and resolution of the incident.
To develop a tailored ATM security plan, the organization must:
-Understand the vulnerabilities of its ATMs in order to determine what capabilities should be deployed to prevent damage, detect intrusions and provide alerts when potential threats are identified. For example, machines that sit inside guarded lobbies have a different risk profile than machines that sit on an island with no video surveillance;
-Determine which specific performance metrics will allow the organization to accurately assess the impact and effectiveness of security initiatives. With metrics identified, you can strategically define and prioritize security measures that will allow you to lessen critical vulnerabilities and minimize the impact of a breach;
-Do the necessary research to make your plan unique to your FI. An organization’s structure, governance, culture and risk assessment can all have a significant impact on its ATM security plan. Review the various security frameworks available and identify the components that are most applicable for your organization; and
-Include your ATM vendor. Most, if not all, ATM vendors have security guidelines available that provide a best practices approach. True ATM security is all about understanding the big picture, the breadth and depth of threats, and how all of the parts of your ATM infrastructure fit together. Your ATM vendor can be a valuable contributor to this planning process.