Backup, Banking, Security

How to Secure Stored Data: Best Practices for Banks

Posted on by RESULTS Technology
bank employee looking at laptop
13
Feb

Think about your own attic or garage for a moment. Over the years, you accumulate boxes. Some contain holiday decorations you use once a year, others hold tax returns from a decade ago, and a few might even contain family heirlooms. If you don’t know what’s in those boxes or where they are, you can’t protect them from dampness, pests, or theft.

Community banks and credit unions face a similar, albeit much higher-stakes, challenge with stored data. While cybersecurity conversations often focus on data in motion—transferring funds or sending emails—a significant amount of risk lies in the data that is sitting still. This is the information resting on your servers, filed away in cabinets, or residing on backup tapes.

For bank examiners, how you manage this “data at rest” is a critical indicator of your institution’s health. The FFIEC (Federal Financial Institutions Examination Council) is clear: management must implement policies to govern the secure storage of all sensitive information. But beyond compliance, bank data security is about maintaining the trust your neighbors and local businesses place in you.

Here is a practical look at how to secure your institution’s stored data.

What Do We Actually Mean by “Stored Data”?

Before you can lock it down, you have to define it. In bank data security, stored data isn’t just what’s on your core processing system. It falls into three broad categories:

  1. Digital Data: This is the most obvious category. It includes customer databases, loan applications, and transaction histories sitting on your servers, workstations, and backups.
  2. Physical Media: This is often where blind spots occur. It includes external hard drives, USB thumb drives, CDs and DVDs, and even magnetic tapes if your institution has been around for a while.
  3. Hard-Copy Documents: Despite the push for digitization, paper remains prevalent. Loan files, signature cards, and printed reports stored in filing cabinets or off-site storage facilities are all examples of stored data.

Banks must secure all forms of this data. A common mistake is fortifying the digital network while leaving a box of unencrypted backup tapes in an unlocked manager’s office, or forgetting about a legacy server that was “retired” but never wiped.

It Starts With a Policy (That People Actually Understand)

You cannot rely on good intentions to keep data safe. You need formal, written policies that dictate exactly how sensitive information is handled. According to FFIEC guidelines, management is responsible for owning and enforcing these rules.

Strong bank data security policies should remove the guesswork for your employees. They typically cover:

  • Approved Locations: Clearly state where data can be saved. For example, saving customer PII (Personally Identifiable Information) on a local desktop drive should be prohibited; it must go to the secure network drive.
  • Encryption Standards: Define what data must be encrypted and the specific standards for that encryption.
  • Access Rules: Who is allowed to access the archives? Under what conditions?
  • Retention and Disposal: Data shouldn’t be stored forever. Your policy needs to dictate how long files are kept and the specific method for destroying them (e.g., cross-cut shredding for paper, degaussing for digital media).

You Can’t Protect What You Can’t Find

Once your policies are in place, the next step is getting a handle on what you actually have. This involves two key processes: classification and inventory.

Data Classification

Not all data needs the same level of security. The menu for the staff holiday party does not require the same protection as a commercial loan application. 

By classifying data, you ensure you aren’t wasting resources locking down non-sensitive files while leaving critical assets under-protected.

The Data Inventory

An accurate inventory is your map. You need to know exactly what data exists, where it is stored, and who owns it. If you don’t know that a branch manager is keeping a spreadsheet of high-net-worth clients on a personal tablet, you cannot secure it. Regular audits are necessary to update this inventory, as new data is created every day.

Layered Controls Provide the Strongest Level of Security

Defense in depth is the standard for a reason. To secure stored data effectively, you need to implement three types of layered controls in your bank data security.

Physical Controls

These are the barriers you can touch. For digital data, this means locked server rooms with access logs. For physical media and paper, it means fire-resistant filing cabinets and restricted access areas. If an unauthorized person can walk in and grab a hard drive, your firewalls don’t matter.

Logical Controls

These are your digital barriers. Strong, complex passwords are the baseline, but they are rarely enough anymore. Multi-factor authentication (MFA) should be standard for accessing systems containing sensitive stored data. Additionally, role-based access ensures that a teller cannot access the same deep-storage data as a loan officer unless it’s necessary for their job.

Environmental Controls

Threats aren’t always malicious; sometimes they are elemental. Environmental controls protect your stored data from fire, flood, and power loss. This includes fire suppression systems in data centers, climate control to prevent hardware overheating, and uninterruptible power supplies (UPS) to prevent corruption during power outages.

Locking Down High-Risk Assets

Some data is simply too valuable to leave to standard protocols. System documentation, application source code, and production transaction data require “integrity protections.”

This often involves cryptographic hashes—digital fingerprints that prove a file hasn’t been altered. If the hash changes, you know the data has been tampered with or corrupted.

Furthermore, you must watch who is watching the data. Logging and monitoring are non-negotiable. You should have a record of every user who accesses sensitive stored files.

However, logs are useless if no one looks at them. Security staff, audit teams, and data owners should conduct periodic access reviews to ensure that people who have moved departments or left the bank no longer have access to these critical files.

The Risk in Your Pocket: Portable Devices

In a community bank, officers often travel to meet clients, meaning data travels with them. Laptops, smartphones, and tablets introduce a high level of bank data security risk because they are easily lost or stolen.

To mitigate this, encryption is key. If a laptop is stolen, full-disk encryption ensures the thief gets a piece of hardware, not your customer database.

Beyond encryption, implement these best practices:

  • Device Access Controls: Strong PINs and biometrics.
  • “Call-Home” Features: Tools that allow a device to signal its location when it connects to a network.
  • Remote Wipe: The ability to delete data from a device remotely if it goes missing.

This is also where a strong Data Loss Prevention (DLP) program comes into play. DLP tools can stop sensitive data from being copied to unauthorized USB drives or emailed out of the network. For a deeper dive into how this technology works specifically for financial institutions, read our guide on DLP solutions in banking and why they matter.

Don’t Forget the Cloud

Finally, many community banks are moving storage to the cloud. While convenient, cloud storage introduces unique challenges regarding legal jurisdiction and access control.

Just because data is with a third-party provider does not mean you abdicate responsibility. You must verify that your cloud provider offers the capability for you to monitor system activity. You need to know if a backup failed or if there was a security incident. In the eyes of the examiner, their security failure is your security failure.

Bank Data Security Is a Continuous Process

Securing stored data isn’t a “set it and forget it” project. It requires constant vigilance, regular updates to your inventory, and a culture of security that starts at the top. By focusing on these fundamentals—policy, classification, layered controls, and rigorous monitoring—your bank can ensure that its most valuable asset remains safe, sound, and ready when you need it.

If you’re concerned about the efficacy of your bank data security, meet with an expert at RESULTS Technology. With experience in the banking IT industry, we can help you find gaps in your data storage and help you become compliant with relevant regulations.

RESULTS Technology