By Art Gillis

In the early '80s, the banking industry got a wake up call. Lloyds of London was underwriting a new rider to their blanket bond coverage - computer crime insurance. To justify paying the huge premiums, bankers wanted to know if they were at risk. So I went to work and developed a program called “39 Steps to Better Security.” The process was simple. I acted out the role of the perpetrator and the bank CIO (and his team) presented installed mechanisms that would block the threat. If they blocked it, they won. If they couldn’t block it, the perpetrator won. That’s how we measured the risk so we could deliver a score card to the CEO. The process was published in several banking trade journals (they love things having to do with crime), including what was then known as Bank Systems & Equipment in November 1981 on page 103.

Exposure in the trade press created a lot of feedback, even from an inmate at the Federal Prison Camp in Lompoc, California (I still have his letter). This man had successfully stolen $10.2 million (using a terminal in the bank) from a West Coast bank (since acquired by a very large U.S. Bank). He got caught only because his envious buddy ratted on him. The bank never had a clue as to what happened, but the public announcement was something to the effect that the amount wasn’t large enough to be noticed. The perpetrator used the $10.2 million heist to buy diamonds in Switzerland, but by the time the case was solved and the bank recovered the diamonds, the booty had lost some of its value, presumably because unlike a repossessed Corvette, banks aren’t in the business of selling 115,000 Russian diamonds. And remember, there wasn’t an eBay in those days.

Back to my 39 threats, I often worried about the 40th threat that I had not anticipated, and no one tried to one-upmanship me, not even the inmate who succeeded in overcoming one of my 39 threats. The 39-step program in computer crime prevention occurred long before the Internet. It also occurred prior to the now popular concept of distributed processing where responsible CIOs abandoned sound security policies and released data files to almost any legitimate bank employee who had a need to know. This release of files was also known as “user friendly,” which bestowed to the CIO the honor of being one heckuva good guy.

Today, bankers should worry about hundreds of steps to better security not just my '80s-styled 39, and the scary part is they’ll never get to the end of the what-if list. In some banks, there’s a lot of skepticism regarding threats, as was clear to me on my first 39-step assignment in New Orleans where the culture is Laissez les bons temps rouler. The conventional wisdom at that bank was, “It’s good in theory, but it won’t happen in the real world.”

After 9/11, I went back to my 39 steps to see if I had included a suicide attack using a commercial airliner to destroy a physical structure. In 1981, I hadn’t even heard of the name al-Qaeda, or the threat of terrorists. So it wasn’t on the list as such, but the following threats seemed awfully close to what happened:

#17 Explosion caused by a bomb (can a fuel-filled jumbo jet be considered a bomb?)
#27 Explosion caused by a misguided projectile (these “projectiles” were definitely guided)
#35 Structural cave-in (where are the Twin Towers now?)

What you should know is that back in the “safe ol’ days” my 39 threats produced chuckles from many bankers, mostly CIOs, who considered the precautions absurd. I’m not blaming them. The CIA, FBI and DOD might have chuckled also even though they are in the business of snooping on potential enemies, the business of crime, and the horrors of war, rather than loans, deposits and payments.

Be careful, it’s a battlefield out there and it’s getting worse because we don’t know where the next hit will come from - Could it be grandma’s wrinkle-free lotion while flying home from a visit with the grandkids?

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in the message center do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this forum becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: The Message Center is NOT intended for commercial messages or solicitations of business.