A plethora of high-profile data breaches and concerns about identity theft have put the banking industry on high alert. To secure their information assets, banks must implement a cross-channel, multilayered approach that extends beyond technology.
NALNEESH GAUR, Manager, Financial Services Practice, DiamondCluster Int. (Chicago)
JOHN CARLSON, Senior Director, BITS (Washington, D.C.)
T. KENDALL "KEN" HUNT, Chairman and CEO, VASCO Data Security (Oakbrook Terrace, Ill.)
RAN NUSSBACHER, Business Development Manager, Viisage (Billerica, Mass.)
Q: What lessons have banks learned from recent data breaches?
Nalneesh Gaur, DiamondCluster International: The Anti-Phishing Working Group recently reported that financial services continues to be the most targeted industry sector, growing to 89.3 percent of all attacks in December 2005. Banks have responded by improving customer awareness, improving fraud detection and implementing site takedown services. Other incidents such as stolen laptops and lost tapes also received the media's attention. Most of these incidents resulted in a public relations nightmare for the banks. Nevertheless, banks responded by encrypting backup tapes and prohibiting their staffs from storing customer information on workstations.
John Carlson, BITS: There's a continued focus on improving the controls that financial institutions have internally and with third-party providers, retailers and other organizations that can be a source of data breaches. There's also an increased focus on consumer education on things related to protecting customers from fraud, such as phishing and identity theft. Financial institutions are providing customers with information on steps the financial institution and the customer can take to protect themselves and to deal with identity theft.
Ken Hunt, VASCO: The biggest lesson that we have learned over the past 18 months is that the problem and threats are real. And, unfortunately, once a breach occurs to an organization, the resources used to rectify the situation are significant and substantial. Financial institutions that have already deployed proven security are far less reactive and are methodically and efficiently expanding their usage into new customer segments (e.g., small business and corporate log-in). Financial institutions that were slow to react to a proven security solution over the past 12 months and are doing so to adhere to the FFIEC [Federal Financial Institutions Examination Council] guidelines and/or to protect themselves from fraud are doing so at an aggressive pace. This has used up significant resources. The message is clear: The banks that are reacting to the guidelines and looking to implement the quickest and easiest solutions are merely prolonging the inevitable.
Ran Nussbacher, Viisage: The main lesson is that identity fraud has become "industrialized" - a large-scale professional operation. Therefore, banks can expect to see an increasing amount of stolen and fabricated identities used to establish new accounts, hijack existing ones and perform fraudulent transactions. Moreover, banks must understand that customer data obtained from data breaches and phishing attacks is not limited in its use to the online banking channel. Rather, customer data also is used to create fraudulent identity documents, which are then used at the branch, where the majority of fraud is still committed. Thus, a cross-channel, multilayered approach to identity risk management is needed to successfully prevent identity fraud.