Q: What are the biggest threats to information security for banks?
Jim Brockett, Washington Trust Bank: The biggest threat is identity theft perpetrated through resources that are internal to the organization. Our industry has spent a significant amount of time and money beefing up our perimeter security to detect and prevent intrusion. However, we still have a ways to go in applying technologies that will allow us to mitigate the internal threat, particularly if that threat has legitimate access to the information.
Richard E. Mackey Jr., SystemExperts: Financial organizations used to invest most of their security dollars into protecting the perimeter -- trying to keep the bad guys out. But the attackers and the attacks to steal identity and financial account access have become more sophisticated. Banks have to try to protect themselves from two growing external threats: compromise of clients' desktops by viruses and Trojan horse programs (directly affecting the ability of the organization to authenticate users), and direct attacks against application vulnerabilities.
Q: Are banks investing in the right solutions to protect customer data?
Brockett, Washington Trust Bank: Yes in terms of the external threats, and no in terms of the internal threats. We need to apply technologies to monitor and prevent information from leaving the bank in any way that violates policy. We need desktop and network-resources monitoring to ensure policy enforcement and prevent violations from occurring. With that, we need better forensic tools to understand when something goes wrong and how it happened in order to prevent further occurrences.
Troy Smith, Aon Consulting: The largest banks are making major investments with respect to information security. This includes access control technologies, network perimeter security and back-office application security controls. The leading banks also are conducting stringent background checks of employees and ensuring segregation of duties to prevent collusion and cyber fraud. Also in the banking community's favor is the general increase in end-user computer sophistication and awareness of the need for good security. Customers are becoming much more cautious with respect to online transactions and protecting their passwords.
Jason James, Happy State Bank: There is enough information out there, enough vendor selection geared toward all sizes of banks and enough examples of what goes wrong when measures are not taken that banks today have no excuse for not taking multiple initiatives to secure customer information. First and foremost is taking common sense approaches to security -- for example, shredding any documents that are to be disposed of, utilizing screen savers and complex passwords for systems access, virus protection, and -- the most basic but most effective of all -- employee security training.
In addition, we utilize the typical security measures from an electronic approach (e.g., firewalls, intrusion detection systems, and ongoing internal and external vulnerability and penetration assessments). Depending on the size of the institution, it may not be feasible and even can be cost prohibitive to have an entire security staff on board, so there are vendors out there that provide cost-effective solutions for implementing security programs that meet and sometimes even exceed what the human security professional can accomplish.
Mackey, SystemExperts: Financial organizations are investing in more-sophisticated authentication services and technology to gather more information about customers before they create their first account. By having background information, they can do better than ask the common questions, such as mother's maiden name. They also are trying to narrow the attack possibilities by gathering information about the systems that clients use to access their accounts. Users are asked for more information if they are not logging in from home, for example. These mechanisms can frustrate many of the password theft attacks that have arisen from viruses and Trojan horses.
Some of the most-effective investments are those that help developers to use a consistent and secure identity and access-control model across applications and businesses. Rather than allowing each application to have its own authentication and access control, most organizations are centralizing identity authentication and taking much of the security logic out of applications. This can provide a more consistent user interface, more robust application security and better opportunity to integrate improvements as they become available.
Q: What steps can banks take to rebuild customer confidence concerning the security of their personal information while also trying to learn more about customers to maximize sales opportunities?
Brockett, Washington Trust Bank: The second part of the question is a business problem, not a technological one. If we can use the information we have about our customers to provide a significantly better value proposition, I believe that customers will not only allow us to use that information, but demand that we do so. It can become an important competitive differentiator.
James, Happy State Bank: The Know Your Customer regulation put the burden on the bank to gather enough information and to monitor statistics in individual customer behavior to know the kind of customer you were dealing with. It helped us to develop personal relationships with the majority of our customers and a level of trust between the bank and the customer that helps us daily with these types of issues.
In addition to employee training, customer training is key -- don't merely inform the customer of what is going on with your bank, but what is going on in the entire realm of IT security. Don't just inform customers on how to protect their banking information, but tell them how to protect all of their personal information in all realms, whether it be password selection (not just for your bank, but any site), shredding and protecting personal information, etc. Let them know that you don't just care about their money, but their well-being as a whole. This type of approach is the best marketing tool available.
Smith, Aon Consulting: Communication and security awareness are huge components of building trust within an overall IT risk program. Banks should be in regular communications with employees, partners and customers (both online and traditional), helping them understand their role in security. Security tips easily can be pushed out to customers, and policies can be articulated and enforced.
Mackey, SystemExperts: Some of the methods financial institutions employ to protect information can be both intimidating and frustrating. However, if the bank educates consumers regarding how the information was gathered and how it is used and protected, they may be more comfortable. Users may also be willing to accept differences in authentication techniques if the bank explains the reasons for the difference.
Q: What are the latest identity management technologies available to banks? Do biometrics have a role?
Brockett, Washington Trust Bank: Specific to identity management, the most promising improvements are being made in the areas of user authentication. We are now beginning to deploy biometric sign-on at the desktop. This will not only provide greater security, but will improve productivity by lowering the number of passwords in use and lowering our help desk calls.
Smith, Aon Consulting: Banks need to authenticate that the person with whom they are conducting a transaction really is who they represent themselves to be. Once authenticated, it is important to only provide access to the minimum level required for the privileges the individual has. Depending on the application and the business needs, two-phase authentication can be an effective way to validate the identity of the user or customer. Biometrics are interesting and can provide some additional security, but there are a couple of challenges. Socially, many people are adverse to some types of biometrics -- particularly fingerprint technologies. Also, the biometric solutions can be costly to buy and maintain. For certain extremely high-security applications, biometric solutions probably make sense, though.