Two years ago, Ken Reed, CEO of Kennebunk Savings Bank in Kennebunk, Maine, faced a dilemma. He was getting pressure to improve data security from regulatory bodies such as the FDIC and its state counterpart, and the institution faced additional IT-security compliance requirements emerging from federal laws such as Sarbanes-Oxley and Graham-Leach-Bliley. These demands left the bank with far too much work for its one part-time IT security employee.
The need for more IT security had been growing along with the bank’s business. With 260 employees, Kennebunk Savings has 13 offices scattered throughout York County in southern Maine. As the area economy—comprised predominately of hotels, resorts, and other vacation-oriented firms—picked up so did the bank’s business. This led to more data files and a greater amount of information to be managed.
Faced with the need to increase IT staff and dedicate more ongoing resources to keep up with computer needs and security demands, Reed instead chose to outsource the bank’s IT security function. “As we moved toward compliance management, we had to shift the entire monitoring process of our IT systems out of risk management,” says Reed. “We decided to try to work with a third party. We were looking for someone who could handle the entire risk management process for IT,” he explains.
Unfortunately, there weren’t that many organizations catering to this need at the time, according to Reed. “We were aware of only a few companies that did this,” he says. “And the ones that did only filled in certain pieces of the puzzle.”
Reed began reaching out to colleagues. He finally found what he was looking for from a member of the Maine Association of Community Banks who recommended Sage Data Security, the company it was using to monitor its networks.
Using its nDiscovery software, Sage Data Security offered a monitoring service that could be customized to meet the bank’s needs. Sage uses the software to analyze thousands of log entries per day. Then, Sage correlates these entries, reviews them for patterns, and presents Reed with a report. “They monitor the system 24 hours a day, across everything that we are running through the mainframe—Internet, internal applications, communications outside the organization, and firewalls,” says Reed.
The bank gets daily and monthly reports, along with immediate notification if anything out of the ordinary comes up. Routine situations, such as bandwidth issues, Sage handles on the bank’s behalf. For all other suspicious or potentially dangerous activity—unauthorized access, malicious applications, or security breaches—Sage identifies the problem and then turns it back over to the bank so that it can handle it.
Another feature Sage offers is comprehensive linking of incidents. “What Sage is good at is capturing security breaches or events and then tying them all together so we can find trends and patterns,” says Reed.
This aspect of the monitoring is the most valuable, according to Reed. Because thieves are attuned to the latest trends and know how to crack the most up-to-date code, the next big scam presents the greatest chance for loss, he says.
Monitoring a system and anticipating trends provides the bank with the biggest payback in preventing future losses. “The real beauty of a service like this is that they can keep pace with the changes,” says Reed. “Sage lets us know when something has happened somewhere else so that we can be aware of it too.”
Reed did not want to disclose exactly what the bank pays for Sage’s services. According to Sage, most of its clients budget between $1,200 and $1,600 per month for a selected set of the company’s services. The company offers four types of services, including monitoring of firewalls, Web servers, Windows logs, and logs for other applications at $400 each. There is also a setup fee that varies depending on the type of organization being monitored.
Since it purchased the nDiscovery service, the bank has not experienced any significant problems. However, Sage did notify Reed of a phishing scheme that was perpetrated on the bank, and then repeated six times. “Sage was helpful in managing that problem,” says Reed. “They gave us advice on how to deal with it on our end.”
Sage has also helped the bank prepare for FDIC audits, which take place every 18 months. IT security compliance is one of the issues that auditors examine. The bank has to prove that the critical information it handles is protected by adequate security and that the security in place is being tested regularly.
“The nDiscovery software tracks that kind of information both internal and external,” says Reed. “Sage was very helpful in getting [us] ready for the audit. We were very pleased with the outcome.”
(For more information: Sage Data Security, Sari Greene, founder, 207/879-7243; e-mail: firstname.lastname@example.org)