Security Centre

Six key steps to protecting a financial services company

By Rich Freeman

Contact Us
Call us to discuss your business requirements
Find an IT Expert
Find a Microsoft solution partner in your area:
Enter Postcode:
Search by Solution
 
Resources
Ask the Experts
Register for our newsletter
Sign up for Events & Webcasts
View your Microsoft Licence Statement
Search case studies
 

Related Links

Extending enterprise security with identity and access management

Information security and fraud management: Stay ahead of the bad guys

Identity theft: Now it is your problem

Windows Vista BitLocker Drive Encryption

Encrypting File System in Windows XP

Few organizations face more or greater security threats than financial services companies. Here are the first and most important steps every financial services business should take to safeguard its customers, protect its assets, and comply with regulations.


*Any [company] in the community banking world that has not yet been the victim of a phishing attack will join the club pretty soon.*
Shana Allen
Vice president and IT manager
EvergreenBank of Seattle

In Summary:

Use access management technologies and customer awareness campaigns to guard against identity theft.

Impose strict rules against storing unencrypted customer information on mobile devices.

To prevent insiders from disclosing sensitive data, manage access rights carefully and work only with reputable outsourcing partners.

Banks, capital markets firms, and insurance companies are among the corporate world's biggest targets for cyber-thieves. So it is no surprise that most financial services companies spend heavily on IT security.

On average, financial services businesses devoted 16.3 percent of their IT budget to security in 2006, according to a September 2006 global survey by accounting firm PricewaterhouseCoopers LLP. That compares with 12.9 percent each for the health care and energy industries. Moreover, 55 percent of financial services companies plan to increase their security budgets even further during 2007, the PricewaterhouseCoopers study says.

Yet despite all of that investment, many financial firms remain vulnerable to a variety of significant threats. Assuming they already have basics such as antivirus software and firewalls in place, here are the first six steps that financial institutions should take to help secure their business:

1. Deploy access management systems

No security issue is more important to the financial services industry than identity theft. "Phishing" attacks, in which phony e-mails lure customers into revealing account numbers and passwords, have successfully struck 51 percent of financial institutions, according to a worldwide 2006 study from Deloitte Touche Tohmatsu of New York. "Any [company] in the community banking world that has not yet been the victim of a phishing attack will join the club pretty soon," says Shana Allen, vice president and IT manager at EvergreenBank of Seattle.

Robust access management technologies are the best defense against identity theft. In fact, regulatory bodies are increasingly demanding use of such solutions. For example, in late 2005, the U.S. Federal Financial Institutions Examination Council issued guidance effectively requiring financial services companies to supplement passwords with additional access controls. To date, only 38 percent of firms have complied, Deloitte’s study says, though another 25 percent plan to within two years.

Access management systems come in several varieties. Numerous vendors offer services that check login requests against a list of suspect Internet protocol (IP) addresses and domain names. If someone attempts to connect from a questionable location, institutions can request extra identification. Other solutions keep track of the computers that customers use to access online services, and ask prearranged security questions whenever someone attempts to log in from a different computer. Still others supplement passwords with a "smart card" or biometrics device that customers must connect to their computer and activate any time they wish to access their account. (For more information on Microsoft access management solutions, see Windows Server 2003 R2.)

Bob Egan, research director for emerging technologies at financial services consulting firm The Tower Group Inc., of Needham, Mass., recommends combining background controls with more visible authentication measures. For example, some institutions now assign account holders a secret image, such as a picture of an animal or a flower. When a customer enters his or her username, the login page immediately displays the appropriate graphic. Since only the financial institution and the customer know which image should appear, seeing the correct picture tells the customer that they are on a legitimate site (rather than a phishing site) and can now safely enter their password.

2. Educate your customers about identity theft

Education is a critical weapon in the fight against identity theft, so be sure to provide your customers clear guidance on using online services safely. For example, urge customers not to access a Web site by clicking an embedded link in an e-mail, even if the e-mail appears genuine. Account holders should always type a URL into their browser or use a bookmark in their browser's "favorites" list instead.

In addition, to avoid potentially confusing customers about which communications are or are not legitimate, make it policy within your company never to request confidential information, such as a password or account number, through e-mail. Then tell your customers about that policy, so they know that e-mails requesting private data are always illegitimate.

3. Secure all mobile devices

Despite the well-known risk from lost or stolen laptops and cell phones, only 40 percent of the financial institutions in PricewaterhouseCoopers' study had procedures in place for securing handheld and portable devices.

In particular, companies should require employees to encrypt any customer information they take on the road, experts advise. Some countries (including 30 states in the United States) have laws requiring businesses to notify customers if they lose a device containing unencrypted account data. The embarrassing media coverage that inevitably follows such disclosures can damage a company’s reputation.

Local and remote wipe technologies can further improve security. Local wipe tools automatically lock a mobile device if someone guesses a password incorrectly several times. Remote wipe systems allow network administrators to send "kill" messages to lost or stolen devices, erasing all data and credentials.

4. Implement safe hardware disposal procedures

They may not be portable, but desktop PCs and servers store sensitive information too. Yet alarmingly, the ratio of financial institutions that dispose of obsolete hardware securely to those that do not is 1-to-1, according to PricewaterhouseCoopers’ research. To ensure that private data on discarded computers does not fall into the wrong hands, use a secure delete application (such as SDelete) to overwrite the drive's contents. For added security, you may wish to de-magnetize or pulverize old hard drives instead. Numerous vendors provide such "media sanitation" services.

5. Prevent information leakage within corporate walls

Criminals who engage in phishing and laptop theft are societal menaces, but your own employees can unknowingly violate security procedures too. Outright theft of sensitive information is rare, but inadvertent disclosure of confidential data is not

Encrypting sensitive files on servers, PCs, and laptops is one good way to keep unauthorized employees from misusing restricted data. Deploying information leak prevention tools (also known as data-loss prevention tools) is another. Such systems scan messages and files as they move across your network and automatically prevent employees from distributing confidential information inappropriately. At a minimum, limit your employees’ access privileges carefully. Only those individuals who really need access to a given application should get it.

6. Monitor outsourced providers carefully

If you outsource important IT functions, as many midsize financial companies do, keep a close eye on your service providers. "With an outsourcer you are bringing in a whole new group of insiders," observes Daniel Blum, a senior vice president and research director at analyst firm Burton Group, of Midvale, Utah. To minimize the security risks associated with outsourcing, Blum suggests the following guidelines:

Look for outsourcers that have a SAS 70 or ISO 27001 certification, which provides independent validation that an outsourced provider maintains adequate security controls.

Whenever possible, work with outsourcers that serve large as well as midsize companies. "The typical small or midsize company does not have time to audit providers carefully, but the bigger companies do," Blum notes.

Make sure outsourcers understand and obey your security policies. Only 53 percent of financial services firms regularly assess their outsourcers' compliance with internal security guidelines, according to Deloitte's research.

Give outsourcers access only to the information they need to do their job. For example, if you are in the midst of sensitive merger negotiations, keep your outsourcers off the server containing the latest proposals.

Though securing your business from attack takes time and effort, financial services companies ultimately have no choice but to make the necessary investments. "It is a trust business," notes William Hartnett, general manager of the insurance solutions group at Microsoft. "People have to trust the systems they interact with." Firms that fail to earn their customers' trust are sure to suffer the consequences.

Rich Freeman is a Seattle-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry.


Was This Information Useful?