Some recent news from cyberspace has been troubling: NASDAQ acknowledged in February that hackers broke into a service that handles confidential communications for some 300 corporations, while Bank of America was publicly threatened by WikiLeaks with exposure of its confidential data and the Internet Crime Complaint Center reported that U.S. consumers lost $560 million to cybercrime in 2009.
For some computer security experts, financial services providers are easy targets for digitally rooted miscreants.
‘Financial services companies are not great at IT issues,’ says Cliff Rossi, a professor and executive-in-residence at the University of Maryland's Center for Financial Policy. ‘It is not a core strength for them, though they are getting better.’
Yet there are those who believe the situation is not that severe.
‘So far, we must be doing a halfway decent job as an industry,’ says Keven Smith, CEO of Mortgage Builder Software, based in Southfield, Mich. ‘After all, there is not a lot of news of data getting out.’
{OPENADS=zone=6}
Joshua Corman, research director of the enterprise security practice at The 451 Group, headquartered in New York, compares the industry's computer security efforts to airport security measures: reactive to unexpected surprises, but not proactive in trying to determine the surprises before they occur.
‘It is still a very nascent market, but it is not very scientific at all,’ he says. ‘Companies are still figuring things out and reacting organically to changes in the market.’
So how can the industry improve its computer security efforts? It would appear there are at least three key areas where IT safety can be strengthened:
- Acknowledging that there is reason for concern;
- Addressing shaky technology practices; and
- Dealing with wobbly internal IT policies.
It can happen here
Although some people may believe that serious threats to IT security are the concern of larger institutions like NASDAQ or Bank of America, the problem can impact companies of any size. Jeff Williams, CEO of Aspect Security, based in Columbia, Md., notes that smaller financial institutions are far more vulnerable to IT-based attacks.
‘In general, they are not as good as the larger organizations when it comes to computer security,’ he says. ‘Larger companies can afford at least one person to focus on application security. Most smaller organizations don't write their own computer security code – they buy it from other companies.’
Within the industry, it appears that consistency in computer security is lacking.
‘It varies, depending on mortgage banking operations,’ says Jonathan Corr, chief strategy officer for Pleasanton, Calif.-based Ellie Mae. ‘Many folks try to take it on by themselves and make sure they have processes within their technology and internal data centers to protect the flow of information. Some are secure, but others have issues, loopholes and exposures.’
‘Any company is vulnerable,’ says Smith. ‘When you have customer data, everybody is a target.’
At risk are not just the companies, but also their customers.
‘End users are increasingly targeted,’ says Paul Zimski, vice president of solution marketing at Lumension, based in Scottsdale, Ariz. ‘No one is really managing the end users, and that's where you find some chinks in the armor for malware, phishing and other attacks.’
‘I feel it's the users who fail when it comes to online financial safety,’ says Rob Rosenberger, an independent computer-security consultant based in Columbia, S.C., and editor of Vmyths.com. ‘Any amount of security annoys them. You cannot convince them to use a different password for each site. They don't care if their computer is infected with malicious software when they surf to a financial site.’
Old tech, bad tech
Another key problem with IT security can be found within a computer policy that is inadequate or worse. Smith points out that too many companies are doing a poor job in data storage.
‘There is a lot of old technology out there, with people housing data on laptops or remote computers,’ he says. ‘We may think of a server room as secure and locked down, but there are desktops all over an office, home or remote locations that are much less secure – and customer data could be stored on them.’
And then there is the question of Internet access, which can be seen as an open door for intruders.
‘In this day and age, I'm shocked to see Windows XP with Internet Explorer 6 still running on corporate desktops that have auto updates turned off and locked down so that IT can manage the infrastructure,’ says Eric Robichaud, CEO of 401 Consulting, based in Woonsocket, R.I. ‘Yet there are more holes in IE 6 than there are in Swiss cheese, so this 'security' measure backfires. While IT departments do their due diligence and work on planning out coordinated mass upgrades for next year's IT budget, end users are out sprinting around on the Internet with old, vulnerable browsers full of security holes.’Â
Robichaud adds that while many companies might fear the unwanted arrival of hackers, this threat is taking on a new approach.
‘It's becoming more common for hackers to abandon the head-on frontal attacks – since firewalls and intrusion detection systems have kept pace and keep the network fairly well protected – and look to 'social engineering' tactics to attack from the periphery,’ he says. ‘They might steal a laptop that's used by an employee with high-level access, or send out spam e-mail blasts that are engineered to trick people into thinking it's from their bank, with links back to a fake site that looks like their bank but really just captures usernames and passwords and then forwards them onto the real site so that they eventually get into their usual accounts on the second attempt, none the wiser.’
Jim Harper, director of information policy studies at the Cato Institute, based in Washington, D.C., warns that professional criminals are more interested in gaining data without making spectacular assaults on the corporate IT system.
‘Hackers have evolved from low-level vandals doing it for sport or graffiti into more sophisticated attackers who are more about making money,’ he says. ‘They don't make money if they collapse the financial services system. Instead, they make their gains by little niggling attacks.’
Harper adds that the emergence of handheld devices and their popularity for mobile banking purposes has created a new avenue for security threats.
‘The financial services industry has a lot of work to do to make sure handheld devices are safe,’ he says. ‘There are attacks that handheld devices are subject to but fixed devices are not.’
‘Smartphones offer a unique set of security challenges,’ says Robichaud. ‘Data becomes portable, and their small footprint makes them prone to being lost, misplaced and stolen. Even worse, access to data becomes portable. While the productivity gains far outweigh the drawbacks, there are drawbacks, and they must be mitigated.’
The inner threat
However, not every threat to IT security exists outside of an office.
‘Insiders have preferential access,’ says Harper. ‘They know how to get into the system, and it is easier for them to do more harm.’
Rosenberger says that any personnel policy on data handling will be doomed if staff members are indifferent or worse.
‘A realistic policy requires a buy-in from the employees,’ he says. ‘You can spout all the policies you want, but if the employees openly ignore it, there's really not much you can do. You can demand disciplined computer use all you want, but if the employees don't care about discipline, there's really not much you can do – short of a catastrophic wake-up call.’
Arturo Gonzalez, chief operating officer of Platinum Data Solutions, based in Aliso Viejo, Calif., also recommends strengthening personnel policy, with a particular focus on new employees who join the company.
‘As you hire people, this should be a part of the employee package,’ he says. ‘Data security has to be key from the get-go. Policies need to be written with the goal to protect consumer data at all costs. And you need to review your policies – assuming you have policies.’
However, internal danger can be generated from outside of an office. Robichaud recalls how one employee's off-hours problems resulted in a near-disaster for his employer.
‘I was involved in a hacking/data destruction case that was perpetrated by the angry ex-spouse of a corporate employee,’ he says. ‘He had access to her computer and logged into the corporate website's administration system and deleted a mass of critical data that effectively crippled the website. But all of this activity was logged by IP address, user ID, time stamps and more – it took all of 60 seconds to trace it back to the employee's computer at home, and time-stamp evidence proved that it was done by the spouse who had access while the actual employee was probably elsewhere with an air-tight alibi.’
Robichaud continues to explain that this misfired espionage was held to the full staff as a warning against using a computer for revenge.
‘State police were involved in the investigation, and all details were known and shared with employees after the fact,’ he says. ‘You can bet that every single employee was put on notice that they could be tracked down in under a minute. As the old saying goes, locks keep the honest people honest.’
Of course, not every internal data mishap is the result of deliberate malice. Corr notes that in mortgage banking, the transfer of data among multiple parties can result in genuine accidents.
‘Businesses need to look at every aspect of how employees interact with data, how data is managed and how it is shared with business partners and consumers,’ he says. ‘There is a pretty comprehensive set of things to worry about.’
‘You need to use due diligence to keep ahead of the game,’ says Smith, adding that this effort needs to be in place as long as a company is doing business. ‘It seems to be a constant game with no finish line.’
(Please address all comments regarding this article to Phil Hall, editor of Secondary Marketing Executive, at hallp@sme-online.com.)