A Look at Technology
One technology that is become increasingly popular among banks hoping to minimize the risk of data leaving the institution is data leakage-prevention (DLP) tools. According to "Borderless Security: Ernst & Young's 2010 Global Information Security Survey," 50% of financial institutions plan to increase spending on data leakage prevention technologies and processes, an increase of 7% over the prior year.
These tools seek to keep sensitive information inside the organization rather than protect against external entry, explains David Barton, a principal with consultancy UHY Advisors (Atlanta). Barton notes that USB devices are a particular concern for inadvertent data leakage. For example, a 2010 survey of 500 dry cleaners and laundromats in the U.K. by CREDANT Technologies (London and Addison, Texas) reported that more than 17,000 USB sticks were left in clothes to be dry cleaned.
DLP products have limitations, says Perimeter's Jacquith. While they can effectively block data such as account or social security numbers from being transmitted to removable media, they are less effective at controlling leakage of competitive or intellectual data.
While DLPs can identify sensitive information leaving the organization, banks must first classify what constitutes sensitive data and where it resides, which in today's environment can be anywhere. With so much data to account for, banks must strategically approach data classification, says Deloitte's Powers, since classifying all data may be impossible. "We're seeing financial institutions focus on targeted data classification and mapping for high-risk data," he notes. "Although tools can automate parts of the classification process, it still comes down to manually assessing the risk of data."
Those banks currently using DLP tools are changing how they use them. "Incidents that used to be noted as a warning are now being blocked," explains George (Chip) K. Tsantes, principal, financial services, for Ernst & Young (New York). "We're also seeing more financial institutions reviewing unusual volumes that could indicate that malware has been installed and is scanning the network."
In a somewhat ironic twist, mobile devices and smartphones--the very devices causing security headaches for banks--are also capable of providing a stronger security platform than what's available on personal computers, says Mercator's Peabody. In addition to holding promise for contactless payments, near-field communications (NFC) chips embedded in mobile devices can be used for multifactor authentication.
Although NFC is not yet ubiquitous--and Apple recently announced that this summer's release of the iPhone 5 would not include NFC--Mercator is predicting that 40 million NFC chip sets will be shipped in the North American market in 2011. "Rather than buying a token generator, the chip is already in the hands of the user," says Peabody. "Banks just have to figure out how to get access to the chip and use it for authentication."
Another technology increasingly used by banks is Security Information and Event Management. SIEM solutions provide the same features as event log management tools but go further with event-reduction, alerting and real-time analysis and typically allow users to import non-event information such as vulnerability scanning reports.
SIEM can help find the needle in the haystack, says Chuck Daye, MIS administrator and senior vice president, First National Bank and Trust Company in Chickasha, Okla. ($350 million in assets). The community bank creates more than one million log records per day. Reviewing those records required Daye to log onto many different platforms to monitor the bank's servers, network switches and firewalls.
First National Bank and Trust uses LogRhythm's (Boulder, Colo.) SIEM technology to consolidate those records onto a single console and to search across platforms, enabling Daye to find the root cause of a problem much more quickly than ever. For example, Daye can correlate seemingly unrelated events such as an outside login attempting to gain access to a server with data leaving the server that could signify a possible breach.
In addition, banks are moving beyond encrypting data in use and in motion and encrypting data at rest as well, notes Greg Rattray, senior vice president for security at the BITS technology policy division of the Financial Services Roundtable (Washington, D.C.).
Implementing Risk Management Disciplines
Although technology can be an invaluable tool in the fight to protect data, technology will fall short unless banks apply rigorous risk management, says Craig Spiezle, executive director and president of the non-profit Online Trust Alliance in Bellevue, Wash. Spiezle cites a Verizon/USSS statistic that organizations could prevent 95% of data breaches simply by following risk management best practices.
Unfortunately, risk management at many financial firms falls short. Although 42% of financial organizations have an IT risk management program in place, only 30% have a program that addresses risks from new technologies, according to Ernst & Young.
UHY's Barton concurs. "At many organizations, there is no difference between highly confidential information or fairly innocuous public information," he says.
It's impossible to protect everything, agrees Prism Microsystems' Ananth, so he and other experts advocate taking an approach that strikes a balance between draconian and laissez faire. "You use the Tower of London to lock up the crown jewels, but it would be ridiculous to lock up loose change," he quips.
Ultimately, this is a challenge for banks' top executives. To paraphrase Spider-Man's Uncle Ben, "With great power comes great responsibility." While mobile devices have empowered employees, employees must be taught to use those devices responsibly, says Prism Microsystem's Ananth.
Yet Ernst & Young's security survey found that an overwhelming majority (92%) of financial institutions consider employee awareness of security to be a challenge. Less than half (45%) of respondents said their firms provide training on the risks of mobile devices and only 34% said their companies provide training on social networking risks.
"Ten years ago, the institution was secure, but all of that is out the window today," notes Ernst & Young's Tsantes. "Financial institutions must step up and educate employees continuously. The biggest department in any institution is the security department because all employees belong to it. Everyone can either enhance or erode security through their actions."
Deloitte's Powers makes the case for deploying good technology such as DLP, but also beefing up employee awareness programs and instituting smart policies that recognize the realities of mobile devices. "You need technology to protect data and minimize the incidence of data loss," he says. "But the reality is that those tools must work in concert with good policies and increased awareness of security throughout the organization."