Although ransomware has been a threat for organizations across diverse industries for decades, we are all aware that recently it has reached a prominence on the international stage never seen before – with multiple headlines and supply chain disruptions that affected millions of Americans. Not surprisingly, both bankers and regulators have taken up a renewed interest in how financial institutions can better protect themselves from this nightmare scenario.
The term “air gapping” is now the new buzzword from regulators and examiners and even appears in the recently released Ransomware Self-Assessment Tool.
While air gapping is not the panacea solution for ransomware, understanding and implementing an “air-gapped” solution is undeniably a best practice for community financial institutions and should be a high priority. Certainly, recent events suggest that ransomware attacks will continue to rise in terms of frequency and ransom demanded.
The concept of air gapping is to store sensitive data in a separate location that is not accessible, should the bank’s or credit union’s network become compromised and then the files and other data become encrypted. Technically, backing up to tape is an air-gapped solution and is good for long term archival storage, but it lacks the speed and flexibility needed in today’s always-on world. No one is arguing these days that accountholders are becoming more patient when it comes to a bank’s or credit union’s network being down.
One air-gapped solution that is gaining wide attention is to have copies of the bank’s or credit union’s servers backed up to a separate network on a separate domain with retention. The organization’s network only has access to backup data through the application with separate credentials that don’t have permission to delete or restore the encrypted data. Administrator credentials are needed through a portal to be able to restore the data but, because of the retention rules, still cannot delete data that has not expired. If backups are stored electronically and are inaccessible from the financial institution’s network, the data is safe and cannot be encrypted. This in turn means that if a bank or credit union becomes the victim of ransomware, the institution, depending on the backup solution, should be able to quickly restore the data with minimal or no loss of transactions. Jack Henry’s Centurion Data Backup & Recovery services have been leading the way implementing air gapping architecture for the past several years.
Another example of air gapping can be seen through Sheltered Harbor®, a not-for-profit, industry-led initiative under the Financial Services Information Sharing and Analysis Center (FS-ISAC) umbrella dedicated to enhancing financial sector stability and resiliency. It is an initiative designed to protect consumers, and public confidence in the financial system, if a cataclysmic event like a cyber-attack causes critical systems – including backups – to fail. Jack Henry recently launched SecurePort to provide a data vaulting solution that transfers the organization’s critical data, which includes deposit account records, customer records, customer-account records, holds records and sweeps records, into a secure data vault storage solution. The data vault is encrypted, unchangeable, and completely separated from the organization’s infrastructure (air-gapped), including all backups.
Whether or not your Board of Directors or IT Steering Committee is actively discussing ransomware prevention strategies, all bankers need to fully understand the potential risks and conduct an evaluation of what air-gapping solutions are available that can meet the organization’s needs and allow everyone to sleep better at night.