Eight Financial Services Security Concerns: Banking on Minimal Breaches

March 16, 2007
Technology services provider EDS identifies eight priorities for security at financial institutions

PLANO, Texas, March 12 -- EDS has identified eight key security risks that should be of utmost concern to financial institutions. The importance of security and operational risk management has grown tremendously due to a variety of factors, including growing regulatory requirements, increasing security risk from insiders and the growing number of data security breaches.

Financial institutions are currently responsible for customer and corporate security at three separate levels: the financial institution (including network and infrastructure all the way to employees and agents with access to data), service providers (outsourced functions must still include management responsibility by the financial institution) and consumers (consumer end-point vulnerabilities can jeopardize a financial institution's security). Financial institutions only have direct control over one or two of these levels, and the rapidly evolving environment is changing the way they approach security and operational risk management. EDS recommends eight risk priorities that financial institutions must consider to minimize the possibility of security breaches.

1. Securing Data Outside the Organization - Since regulators demand that non-public personal information be backed up and stored off-site, risks arise because large banks do not have the infrastructure to support the bandwidth required to move all their data electronically. When tapes or other removable media are the storage medium of financial institutions, dangers can arise, through the loss or theft of this media during shipping. The encryption of all data that is moved offsite is crucial, but should be mandatory for portable end- user devices such as laptops and PDAs, as well as all removable media.

2. Security and Privacy Controls of Service Partners - Privacy and security regulations dictate that financial institutions are ultimately responsible for the actions of their service partners. Therefore, a key risk management priority becomes the assurance that both domestic and offshore service providers have adequate security and privacy controls to detect and prevent breaches in the confidentiality and integrity of customer information.

3. Insider Threat - While financial institutions have put appropriate measures in place to protect against external threats, it is generally accepted that the majority of data losses today are the result of the "Insider Threat." Employees or contractors, whose roles allow them access to significant personal and confidential information have often been the causes of information loss. However, systemic problems and accidental employee actions are the most frequent forms of potential data loss. Financial institutions need to consider the deployment of data loss prevention tools. These tools cannot only monitor and optionally block outbound sensitive communications of all types, but they can also verify that no personal or confidential information has been stored on widely accessible shared drives or Web servers. Many tools also now provide very granular control of end-user devices and can selectively prevent copying and pasting or writing to removable media of personal or confidential information.

4. Wireless Woes - Wireless devices and connectivity are still relatively new to the financial services industry, but they represent additional security complications. Wireless devices improve productivity, increase business agility and reduce costs, but mobile nonpublic information must be secure. Mobile devices are particularly vulnerable, as they are easy to lose or steal, and capable of holding a large amount of nonpublic customer and corporate data. One of the growing risks comes with employees or customers using an unprotected airport, hotel or other public wireless connection. Financial institutions must provide secure communications mechanisms for all of their mobile employees and contractors so that all wireless communications are encrypted and cannot be compromised when no secured wireless facilities are used.

5. Evolution of Criminal Schemes - To stay ahead of the criminals, financial institutions must take a proactive, rather than a reactive, approach to security. This means constant reassessment and evolution of security efforts. Strengths and weaknesses of corporate policies and procedures, as well as consumer-facing security measures must be evaluated regularly in order to make appropriate adjustments and encompass the latest technology, criminal and security trends. Today, one of the biggest threats facing financial institutions results from "phishing" attacks. While early phishing attacks were very basic, recent "man-in-the-middle" attacks have become far more sophisticated. Through participation in groups such as the Anti Phishing Working Group (APWG), financial institutions can collaborate with other organizations to help early identification and takedown of phishing Web sites.

6. Identity and Access Management - One of the key challenges facing all organizations today is that of Identity and Access Management. Ensuring that system and application access is limited to those in roles with a "need to know" is one of the challenges. This is being addressed through the integration of human resources systems with underlying access control systems. Other areas of rapid development include single sign-on and multifactor authentication. All of these can contribute to making the financial institution's infrastructure more secure from external and internal threats. Federated Identity Management systems will also help alleviate the challenges that financial institutions face with respect to providing system and application access to their business partners.

7. Consumers - They can be careless by using simple passwords, losing their ATM card or writing down their PINs, any of which can lead to unauthorized account access and ultimately fraud. Consumers often do not have adequate or updated security on their personal devices, which can result in security breaches during sessions on their financial institution's Web site. Because consumers recognize that financial institutions absorb the cost of fraudulent transactions, they tend to be less security conscious than they might otherwise be. As consumers continue to be susceptible to scamming or phishing, financial institutions need to constantly educate consumers on the security measures they should be taking, not only to protect themselves, but also to reduce the risk to financial institutions.

8. Regulations - Due to regional variations, financial institutions have varying security challenges based on their geographic location. In North America, highly publicized security breaches and regulatory change are placing an increased emphasis on banks' data security. These recent regulatory changes in the United States have prompted European institutions to step up consumer information protection under the assumption that European legislation will soon be more involved with this widespread concern. Basel II compliance will eventually require all financial institutions globally to tighten operational risk management and mitigation policies and procedures. Most importantly, identity theft notification laws that have been enacted in 36 states have had the greatest impact on financial institutions, with compromised records costing an average of $182 each. In addition, data disposal rules can also lead to breaches, but can be minimized with new technology, including new data collection that allows customers opening an account to never have their documentation leave their sight.