09:00 AM
Bob Olson, Unisys
Bob Olson, Unisys

5 Myths About Bank IT Security

Banks have to change the way they think about security in the face of more varied and sophisticated threats. Here's five places to start.

The latest Unisys Security Index contains a truly confronting statistic, if you are a retail company or financial institution: Nearly 40% of Americans surveyed say a security breach involving their personal or credit card data would not make them less likely to do business at a bank or store they commonly use.

For one thing, most consumers have no way of judging which company might be safer than the breached one. But it's also a case of "whose ox is gored," and it's not the consumers'. By and large, companies and banks make consumers whole and pay the costs of breaches.

That's why retail companies are a lot more worried than consumers. Recent credit card breaches have caused heads to roll, lawsuits to flourish, customers to leave, and brands to suffer.

[For more on this topic: Card Fraud Biggest Security Concern for US Consumers, Report Finds]

Financial institutions, eager to protect their assets, customers, and reputations, are taking note. As they do so, it's a good time to dispel five myths about security.

1. Security is the job of the CISO and his/her team.
No amount of resources or money can keep an institution secure if security isn't an integral part of everybody's job. Whether you are the HR recruiter verifying applicant credentials, the lender scanning customer documents to your smartphone, or the CEO meeting with analysts, there are vital security measures to be incorporated into your mindset and daily routine.

2. Excessive security checks irritate customers.
That obscures the nuanced view that better serves customers and their security needs, which are situational. So a simple ID check would suffice for low-risk events. Rigorous (but still swift) checks would work for high-dollar or high-risk transactions, when customers want to see strong security. Effective security means dialing it up and down according to the need, whether it's a corporate officer wiring a payment for company payroll or a long-time customer calling for a checking account balance.

3. To improve security, harden the perimeter.
Not to gainsay the value of a hardened perimeter, but it does say, "There's something valuable in here." Many organizations prefer to subtract their valuables from the picture -- to cloak their transactions and activity from the view of anyone not properly credentialed. If, instead of a fence, cybercriminals see absolutely nothing, they have no reason to stick around and try to intrude.

4. The less said about security, the better.
"Banks are supposed to be safe. Why would we draw attention to cybercrime?" Car manufacturers used to be that way about accidents until the carnage became unavoidable and solutions emerged. Now safety is a brand feature for many. The more cybercrime headlines your customers see (at least the 60% who would leave over a breach), the more they will appreciate knowing that security is a cherished feature of your brand.

5. Solve for security in the silo, and you're safe.
OK, maybe nobody explicitly subscribes to that, but it's the default mode for many. Security is assessed system by system, device by device, app by app, and data store by data store. But cybercriminals are adept at exploiting the seams between those securely protected things. That's why some CISOs are adopting an enterprise view with holistic answers that link together all the hotspots exposed to cybercrime: wire transfer, mobile/BYOD, online banking, ATMs, employee hiring and credentialing, vendor credentialing, and more.

Bob Olson is a Vice President at Unisys where he manages the Global Financial Services Practice.He works with clients by providing a portfolio of IT services, software, and technology to help them solve their mission-critical problems. Prior to Unisys, Bob was ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/17/2014 | 1:31:18 PM
#4 The less said about security, the better.
I have to say that I agree with this so strongly.  We have all seen so many gimmick solutions around "helping the end user" be more secure.  Things like SiteKey, Trusteer Rapport, crazy requirements around password, etc.  

Yet... how many FI's opt for an Extended Validated certificate on their site and educate their customers to look so they know they are not being Phished? Why do we have to have multiple "security checks" to login to online banking to look at a balance, but we can't add an escalated level of authentication when they are doing something with more risk (transfering money)?

Just using some basic best practices with education would be so much better then the new shiny.  To educate we need to talk about it. 

- Jeremy Neuharth
User Rank: Author
7/10/2014 | 1:17:31 PM
5 Bank IT Security Myths
The 4th myth really stuck out to me. Banks can't keep saying "no comment" when it comes to cyber security. As the headlines pile up around data breaches, consumers will grow more and more protective of their information, suspicious of organizations that aren't forthcoming about their security practices. People will increasingly see "no comment" as equating with "we've got something to hide." And nobody wants to hear that when their money is at stake.
User Rank: Author
7/10/2014 | 9:54:48 AM
Very true, it's a discussion that needs to start from the top.
Anne R Gabriel
Anne R Gabriel,
User Rank: Author
7/10/2014 | 9:53:26 AM
I agree with Bryan, re: point 1 as everyone plays a role, and the value of the complete list. I'm also partial to point 4, as there's an old saying which suggests knowledge is power - if banks don't talk about security, it won't get addressed as fully as needs be.
User Rank: Author
7/10/2014 | 9:43:31 AM
Point no 1 is a very good one. Security is not something anymore that can just be handled by one divisiona nd ignored by everyone else. It requires enterprise-wide commitment.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.