Banks face a difficult challenge in the area of security management. With a growing population of internal and external users accessing an increasing number of applications, the need has grown exponentially for banks to develop a new generation of security tools that can help them better comply with regulations, control access to confidential data and limit identity theft. At the same time, banks are challenged to institute security measures that satisfy users who are demanding both stronger security and ease of use and control -- often competing priorities.
In addition, security management is ever changing. The desire for greater functionality must constantly be supplemented with stronger security measures to offset the risks of each new capability. Moreover, these security measures must be highly nimble; they must be quickly deployed and evolve over time to anticipate and adapt to new threats and emerging risks, as well as satisfy a new generation of customers who want more-personal and customized experiences that match their lifestyles.
Lastly, the single largest security management challenge is the one most difficult to control. According to the 2007 Global Security Survey by Deloitte Touche Tohmatsu, "The greatest root cause of external breaches continues to be the human factor." In other words, banks need to continuously educate and engage customers about their online security. However, customer education is difficult at best because the group most likely to be duped is also the group most likely to not actively seek education or to ignore education initiatives altogether.
What does all of this mean? It means that truly effective security management will require the layering of a number of solutions that focus on people, process, technology and risk. Most important, the management of each layer will need to be based on its context among the diverse capabilities and limitations of the others. When all the layers are combined, it creates a powerful tool that can offer banks a much more successful way to manage their security challenges than any single stand-alone solution.
Why Security Management?
Over the past decade, as new online banking products and communication points were introduced, so were opportunities for fraudulent activity (see timeline below). It is reasonable to assume that new product introductions and the related security challenges will progress hand in hand. As functionality continues to grow, so will criminal initiatives to exploit it (see "Lesson Learned No. 1").
|Lesson Learned No. 1: Evolving Cybercrime
Over the past five years, banks have witnessed a major shift in fraudulent activity. Originally hackers would create worms and/or viruses, such as I Love You, Mamba and a host of others, with the intention of crashing systems and wreaking general havoc. Most of these programs were created as pranks with the purpose of proving to the world how smart the hackers were. Today the focus has shifted. Hackers are now aiming at specific targets with the intention of defeating their security, retrieving customer information and selling it online for a profit. In short, cybercrime has moved from destructive pranks to criminal intent. As a result, security managers have literally become the bank's security guards -- protecting customer identities and accounts in the same way that guards at a brick-and-mortar branch do. This trend has played a key role in security enhancement strategy at most banks.
Large banks are a natural target due to their size and their maintenance of sensitive consumer information and assets. Banks are frequently the target of phishing and spoofing attacks and continue to witness new attacks, such as DNS poisoning (in which a maliciously created or unintended situation provides data to a domain name server that did not originate from authoritative DNS sources) and Man-in-the-Middle (in which the attacker makes independent connections with the victims and relays messages between them, making them believe they are talking directly to each other over a private connection when in actuality the conversation is controlled by the attacker), developed and shared through black market forums, almost weekly. Over the next year malware (software designed to infiltrate or damage a computer system without the owner's informed consent) is likely to become an even greater threat, and banks are already strengthening existing measures and building new measures to combat it.
Banks can ill afford any negative publicity about the security of their financial data. Customer confidence is paramount as persistent security concerns can quickly erode confidence in product channels, decrease profits and lead to defections. We are continuously challenged to find better ways to secure our systems and support our customers' assurance that their information is safe from predators. Developing and maintaining a top-notch authentication and security strategy is the key.