Love him or hate him, Julian Assange, the infamous director of WikiLeaks, has heightened awareness of the dangers of sensitive information leaking out of an organization. Although financial institutions have to date largely escaped the fate of the U.S. government and other industries, security experts warn that it's only a matter of time until a bank suffers a major breach from a cyber attack.
Indeed, the largest industry targeted by criminals is financial services, according to the "2010 Data Breach Investigations Report" from Verizon Business (New York) and the United States Secret Service (USSS). Not only did financial services represent 33% of the more than 900 breaches studied over a six-year span, the industry also accounted for a staggering 94% of all compromised records.
Today's cyber attacks are more targeted -- and more dangerous -- than in the past. "Attacks are 'low and slow' in that criminals are pinpointing specific institutions and patiently and painstakingly infiltrating the organization to remove precise data," explains Jonathan Penn, vice president, Forrester Research (Cambridge, Mass.).
Advanced Persistent Threats (APTs) illustrate the persistence of today's cyber criminals. RSA (Bedford, Mass.), which supplies security solutions to some of the world's largest financial services firms, announced in March that data related to its SecurID authentication tokens was stolen via an APT attack. APT has become a euphemism for attacks carried out by sophisticated, well-funded hackers--often linked to the Chinese government--that are executed methodically over long periods of time.
Not only do banks need to protect themselves from criminals outside the organization, they also need to protect against internal information leakage from employees, contractors, partners and vendors. "Someone intentionally taking and sharing information is an incredibly difficult problem to solve," notes Richard Mackey, vice president of consulting, SystemExperts Corp. (Sudbury, Mass.).
The recent media reports of leaked emails from a former Bank of America employee to the online hacker group Anonymous turned into a case of "much ado about nothing," but highlight how easily an information leak can occur.
The internal threat is real: According to Verizon, internal agents caused nearly half (48%) of financial services breaches. However, financial institutions are largely unprepared.
Although 56% of senior security executives are very confident about thwarting external breaches, only 34% display the same confidence about internal threats, according to Deloitte's "2010 Financial Services Global Security Survey."
The Smartphone Dilemma
The pervasiveness of mobile devices complicates security for banks. Employees are clamoring to use their mobile devices of choice at work, but security managers are still struggling to secure new, increasingly powerful devices.
Smartphones in particular are exploding in popularity, presenting the proverbial "good news/bad news" scenario for financial institutions. George Peabody, director of Emerging Technologies Advisory Service at consultancy Mercator Advisory Group (Maynard, Mass.), predicts that 60% of mobile phone subscribers will have smartphones by 2012. Since the criminals "move to where the people are," expect malware to proliferate on iPhones, Androids and other mobile devices, says Peabody.
A.N. Ananth, CEO of security solutions provider Prism Microsystems (Columbia, Md.), describes three approaches banks can take to manage mobile device security. The first approach is to lock down the environment. Doing so, however, can make the carrier less efficient and put it at a competitive disadvantage. The opposite strategy of trust without restrictions, which Ananth calls the "kumbaya approach," increases the risk of a data breach. The middle ground is the best, he argues. "We like the trust-and-verify approach."
One-quarter of banks are taking a hard line on devices while about one in 10 have a generous "bring your device to work" policy, estimates Andrew Jaquith, CTO of Perimeter E-Security (Milford, Conn.), a provider of information security services. The remainder, explains Jaquith, make up the "muddled middle" frantically trying to strike a bargain that allows employees to select their own devices as long as the organization can impose security such as device locking and hardware encryption.
For example, iPhone mobileconfig files allow security settings such as remote wiping, Jaquith says. However, in an effort to download non-approved Apple (Cupertino, Calif.) apps, increasing numbers of users are "jail breaking" the iPhone, compromising device security, he notes.
One group particularly vulnerable to attacks on mobile devices is senior management. The act of targeting executives has even spurred a new moniker: whaling. According to Deloitte, executives who tend to have access to more-sensitive intellectual property are less likely than others in the organization to receive targeted security training. They also tend to get their way: Will a security manager be able to insist that the CEO doesn't use his or her iPhone?
Ed Powers, a principal in Deloitte LLP's (New York) financial services practice, agrees that banks need to take a thoughtful approach to smartphones and other devices rather than banning them. "The way we use technology is evolving so rapidly that the answer isn't just to ignore it; the answer is to understand the limitations of the technology, adopt these technologies responsibly, and continue to monitor and evolve our security programs," he says.
[Ed. Note: In an effort to establish security guidance for mobile devices, BITS, the technology
policy division of The Financial Services Roundtable (Washington, D.C.), recently launched a
Mobile Financial Services Security Assessment Project.]