Information security and fraud management: Staying ahead of the bad guys
By Patricia Howell, senior analyst, Financial Insights, IDC Canada
Financial institutions are great movers and repositories of sensitive and valuable data, making them an attractive target for criminals. According to Symantec, financial institutions are among the most frequently targeted industries. And the severity of fraud that occurs in the financial industry is often greater as it is more likely to be a target for profit versus nuisance. Symantec anticipates that targeted attempts to access information without authorization in the financial services industry will continue to increase, and the focus of these attempts will become increasingly profit driven.
Against this backdrop, recent events highlight the need for increased information security management for financial institutions, including well publicizing instances of data loss and security risks. In addition, increased legislation due to increased information security risks is now making it mandatory that financial institutions revisit their information security management strategies. This is not isolated to Canada and the United States.
Globally, financial institutions are struggling to keep pace with the increasing frequency and severity of information security risks and online fraud. In fact, security and fraud management is one of the top 10 strategic IT priorities identified worldwide by Financial Insights for 2006. Recent research from Financial Insights’ European practice indicates that security-enhancement technologies, data warehousing, and content/document management technologies are among the top investment priorities for European banks.
Financial services firms have traditionally focused security-enhancement efforts on network perimeter defenses. Complex organizational and sourcing structures and the proliferation of multichannel delivery strategies have led to a collection of point-specific security enhancements that protect an organization’s resources. While this has historically served organizations well, in today's heightened security and regulatory environment, the complexity of these silo-focused security arrangements reduces their capacity to respond effectively to information security risks and online fraud. The lack of an enterprise-level view of security operations puts firms at risk of not complying with existing and emerging regulatory initiatives.
Protecting more than just the network perimeter
Network perimeter defenses still represent an important focus for information security management, particularly for banks. In Asia, the rising popularity of online banking has exposed a corresponding increase in the risk of fraudulent activity. This has led several Asian banks to adopt dual-factor authentication. In fact, dual-factor authentication has been mandated by the Hong Kong Monetary Authority and the Australian Bankers Association is preparing to establish industry standards.
Last October in the United States, the Federal Financial Institutions Examinations Council (FFIEC) issued new guidance to financial institutions stating that institutions must use effective methods of multifactor authentication, layered security enhancements, or other reasonable controls to mitigate risks to consumers and businesses. Some financial institutions have already demonstrated that they offer strong safeguards. E*Trade Financial recently began offering tokens for their banking brokerage clients, creating randomly generated passwords that users must use in addition to their traditional passwords. ING Direct has added a scrambled PIN pad that changes each time a customer logs in. This thwarts keystroke programs and Trojan horse applications that capture passwords.
Financial institutions face most information security risks and online fraud at the perimeter of the organization’s information network. Employees also pose a significant risk. And this has become even more problematic. Portable USB mass storage devices such as iPods and other MP3 players (capable of holding up to 60 gigabytes of information) have become common in the workplace, enabling individuals to download sensitive documents and customer databases in a matter of seconds. To increase corporate security against these types of unauthorized access, organizations are looking to digital rights management, security-enhanced documents, and selective encryption as key enablers of information security management.
Taking a holistic approach to information security
Financial institutions want to reduce complexity in information security management by looking at it holistically at the enterprise level. Leading organizations are developing a Security Information Model (SIM) to help simplify the process of dealing with various information security alerts generated at the perimeter of the organization. SIM then uses this information to establish the basis for its detailed, information-centric approach to information security management.
While large organizations have continued to invest in specific security-enhancement controls, some have also focused on business process auditing and reengineering to help ensure that security technologies, policies, and procedures are functioning appropriately at the enterprise level. For example, Bank of Montreal pursued BS7799 certification of its information security management system to mitigate risk to its brand and reputation and to develop Sarbanes Oxley auditable documentation.
To mitigate penalties, customer and revenue loss, and reputation and legal risks, financial institutions must continue to focus on information security and online fraud management. While the protection of an organization’s perimeter will always be important, directly protecting the vast stores of data from the inside and outside of the organization’s network is essential.
Taking an information-centric and holistic approach and employing a multilevel strategy will ultimately offer financial institutions the comprehensive level of information security-enhancements required in today's complex and dynamic global environment.
