Risk Mitigation for ATMs and IT Assets
Updated: May 21
Consumers increasingly demand online and self-service financial products to support their on-the-go lifestyle. Is your financial institution prepared to ensure your customers’ security for the future?
To compete in today's marketplace, FI's may feel pressure to adopt new technology quickly. While adding new technology benefits both FI's and their customers, it's important to remember that institutional security must remain the company's top priority.
A single data security breach has the potential to put your organization at serious risk for lawsuits, fines, damaging publicity, diminished corporate revenues, and even imprisonment for the individuals involved. This fact makes it critical that your organization’s asset managers understand the issues involved and exercise due diligence in selecting outside partners to manage their asset disposal processes.
THE IMPACT OF DATA & ASSET SECURITY BREACHES
While everyone understands the importance of maintaining security, a 2016 Forrester report suggests over one-quarter of bank executives did not feel confident in their organization's ability to manage and prevent an ATM security incident. Furthermore, in the same survey, forty-two percent said their ATM security challenges were due to, at least partially, having too many ATM brands and devices to manage.
At the core of this issue are three primary trends that FI’s must learn to counter:
How do you 'lockdown' channels while keeping accessibility high? – Providing optimal experiences alongside robust security measures can often feel in conflict.
In a competitive marketplace, increasing efficiency matters – A need for operational efficiency means more reliance on self-service banking. However, ATM security experts are scarce and represent a commitment of limited resources.
Most ATMs are easy targets and can be hacked in under 20 mins, according to recent a report from PT Security.
THE COMMON GAPS IN SECURING YOUR ASSETS
These breaches typically stem from a handful of crucial ATM network security gaps. Below are the most common across the financial industry. While these lapses can be eliminated, they facilitate easy unauthorized access to ATM networks if left unaddressed.
A Lack of Planning – Based on a 2017 PwC study, only 53% of companies maintain a proactive system (and data) management plan - fully, from the very start to the very end of the system's lifecycle.
Lack of Security Between Networks - To protect against threats, financial institutions should install firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS), and antivirus software. Well-planned network architecture also requires the ATM network to be separate from the main one.
Outdated Operating Systems - ATMs running Windows XP leave ATM networks exposed due to the absence of patches for these outdated operating systems.
Applying A Blanket Approach to Security - Financial institutions often treat their ATM’s all the same, implementing the same measures on every terminal, regardless of location, age, or usage. A better solution is to conduct an analysis to determine which terminals are high-risk and allocate your limited funds accordingly.
A Lack of Documentation and Testing – When it comes to planning, many associates aren't sure what to do in the immediate aftermath of a breach attempt. Every bank should go through a mock attack exercise, so they can see how and where the triggers happen — or not— to understand what they need to do in the case of a security issue.
ASSET DISPOSITION & RECYCLING
Physical data theft attempts can also occur as the devices are being prepped for disposal and recycling. In fact, there are a few areas throughout the asset's lifecycle process where, without adequate security protocols in place, data is at a higher levels of risks.
IT asset disposition partners (ITADs) must be knowledgeable about securely erasing company data that resides on "aged-out" assets – no matter the plan for the ultimate disposal of the equipment.
This step is critical to the security of the ITAD's customers and partners. It's simply not enough to "wipe" the hard drive of a PC, laptop, ATM, or other IT assets. Full and secure data sanitization is critical to prevent security breaches and data leaks.
ITADs and recyclers who build and maintain robust security policies to safeguard sensitive data will set themselves apart from their competitors. Providing certification of secure erasure proves to customers that they can trust this process (and their ITAD partner) and that wherever aged-equipment ultimately ends up – destroyed, recycled, or reused – sensitive data will not be compromised or sold on the black market.
THE NEED FOR A TRUSTED PARTNERSHIP
In evaluating your organization’s ability to protect assets, ask yourself the following questions:
Do we have in-house security experts knowledgeable enough to defend our self-service channel?
Do they have the time to keep up with evolving attacks and industry standards?
Do we have self-service security personnel struggling to manage the entire fleet?
Do we have a roadmap in place to maintain and upgrade our fleet security measures?
Do we know what type of attacks and defensive measures are coming next?
If the answer to any of these questions is no, it may be beneficial to look to an outside partner for assistance. Be sure to ask potential providers the following about their environmental practices:
Will you destroy the data on our assets before recycling?
Can you de-manufacture our e-waste into parts and properly recycle these pieces?
Are you able to confirm that the e-waste will never be exported, incinerated, or sent to a landfill?
Do the same security and chain-of-custody measures employed during the IT asset destruction process extend to e-waste recycling?
Does your recycling program comply with the e-Stewards or other industry-leading standards?
Today, more than ever, there is a need for banks and businesses to recognize that ATMs require the same levels of security and a commitment to upgrade, when necessary, as every other aspect of their infrastructure.