The Enemy Within
Criminals don't just linger outside of corporate firewalls, however. Banks increasingly are challenged by threats that originate inside their firewalls (see related article, page 12). Employees access sensitive customer data and mission-critical information on a daily basis. Yet many organizations underestimate the threat this can cause.
"Many companies are committed to using firewalls to stop external spam and viruses from entering their network and jeopardizing sensitive customer information," says Brett Schklar, senior director of products and marketing for Vericept, a Denver-based provider of software that monitors the content of network activity and reports potential risks. "Many forget that insiders are also a big risk."
This risk is so great that more than 70 percent of offenders who gain unauthorized access to information systems tend to be employees, according to Stamford, Conn.-based research firm Gartner. More than 95 percent of these intrusions result in significant financial losses.
Of course, not all employees work within a company's facilities. Many banks outsource operations to cut costs and create new business opportunities. "These outside, external business partners also are treated as if they reside within the company's four walls," explains Vericept's Schklar.
Yet, they can pose new threats that are not easy for banks to control. For example, contractors often use their own desktops and laptops to access critical internal data. Banks are challenged with how to control the security of the information that business partners and service providers touch, as well as quarantine any bugs that linger on external systems. Most important, these business partners often have a direct, insecure gateway into a bank's corporate network.
"Banks should be considering how to identify any changes or inappropriate behavior from any employee or contractor that touches their network," Schklar says. "At this point, 20 percent of institutions are thinking this way and taking action. However, 80 percent are not."
Castle Rock Bank (Castle Rock, Colo.; $100 million in total assets), is cognizant of these issues as it expands from a single-building community bank to a multiple-location corporation. Its customer base and employee pool are on the rise. Simultaneously, both groups are demanding more access to information on a more-timely basis.
"Both groups are utilizing Internet access, VPN services, online banking services, telephone banking and ATM services," notes Craig Zierdt, the bank's VP, information systems manager. "Yet, these create many more entry points into the bank's systems" and more vulnerability points. "While our IT department tries to comply with regulations that protect data and consumer privacy, monitoring access to all of these systems is too much for a small IT department," he adds.
Building Higher Walls
It is clear that banks need a better line of defense to remain proactive and stay ahead of known and unknown criminals. As a result, many are allotting more capital to information security software that can identify vulnerabilities and strengthen their existing architecture.
"In 1998, banks attributed 2.5 percent of IT budgets to security. By 2003, security accounted for 10 percent of IT budgets," says Jerry Luftman, associate dean and distinguished professor for the graduate IS program at the Stevens Institute of Technology, based in Hoboken, N.J.
Security breaches and compromised IT systems and data are such a concern that corporate CEOs and CIOs rank security technology as one of their top priorities, according to a study by the Society for Information Management (SIM; Chicago), a national group of CIOs that focuses on the development of IT leaders. "This demonstrates how quickly the IT world has changed in the last year," says Luftman, who also serves as vice president of SIM and conducted the survey. "Security was not even in the top 10 last year. CIOs and CEOs face more challenges than ever. By leveraging the rapid changes in IT, they will be in a better position to meet their business goals."
In their quest for better protection, banks are moving away from network-centric information security models and are opting for more application-driven models. "Network-based programs will not fight today's threats," says Jerry Brady, adviser for Secure Software, a MacLean, Va.-based provider of application security technology. "Today's attacks are data- and application-driven. As a result, security officers are moving toward stronger application security."
But banks cannot sacrifice their operations or performance for data security. "Organizations need software that will perform security but will not interfere with the daily flow of events or lose transactions," stresses Adrian Lane, CTO, IPLocks. The San Jose, Calif.-based company offers information risk management solutions.
For Tukwila, Wash.-based Boeing Employee Credit Union (BECU; $5.2 billion in total assets), scalability, adaptability and an affordable price tag also topped its criteria list. "We are cost-sensitive, but we require that our environment is secure in order to keep our assets contained," says Daniel Chow, IT systems and security engineer for the credit union. "Our members' information is the most valuable asset we have. We manage large amounts of data and we need to archive this information so we can protect our members," he explains.
BECU archives customer data on backup tapes because they are small, easily concealed and can store large amounts of data, according to Chow. However, the media also poses a risk. "We need to make sure this information is restorable and retains high data integrity," he says. "Simultaneously, we need a system that will encrypt and protect this data from being used maliciously."