But monitoring systems for outside threats is not enough; increasingly, banks are challenged by threats that originate inside their corporate walls. Employees have access to sensitive customer data and mission-critical information on a daily basis. Yet many organizations underestimate the damage this can cause. For example, employees who had access to sensitive consumer data -- including Social Security numbers and bank account numbers -- reportedly masterminded security breaches last year at Wachovia (Charlotte, N.C.; $542 billion in total assets) and Bank of America (Charlotte, N.C.; $1.3 trillion in total assets).
Like many banks, Bank of America's associates must adhere to a code of ethics and company security policies, Tara Burke, a company spokeswoman, said in a recent article from The Associated Press. She added that bank associates only have access to the information they need to service customers. In fact, Bank of America spends about $250 million annually on various security measures and protections, Burke related in the article, adding that the main function of hundreds of associates is exclusively to protect information.
However, even these efforts may not be enough. "The only way to adequately control employee access to critical data is to monitor their activity and use authorization methods that authenticate users," says IBM's Rosenoer.
While banks also should follow this advice when providing consumers with access to data, the task becomes more difficult. "The challenge is how to do this in a secure fashion," says Roger Sullivan, VP of business development, identity management solutions, at enterprise software provider Oracle (Redwood Shores, Calif.).
Clearly, a standard password or PIN is not sufficient in today's volatile marketplace. "Long ago, customers were satisfied with this method. It provided easy usability and provided what everyone considered secure access to sensitive information," says Kim Legelis, director of industry solutions, Symantec, an information security software provider based in Cupertino, Calif. However, phishing attacks proved just how insecure this method could be. "People worried about how secure this method was since information could easily be shared," she recalls. "In the end, it was an old-fashioned scam that broke the security of passwords and PINs."
This is a prime example of why the Federal Financial Institutions Examination Council (FFIEC) recommended last October that financial services companies employ two-factor authentication technologies, particularly for online applications. But companies also can benefit from deploying multifactor authorization to manage internal user access to mission-critical information.
Two layers of security could be what saved Wells Fargo's computer heist from turning even uglier. There is no indication that the information stored on the computer has been misused in any way, Alejandro Hernandez, a company spokesman, said in an article that appeared in Computerworld. "The computer has two layers of security, making it difficult to access the information," he commented.
In response to the FFIEC guidelines, many banks are adding physical keys to the authentication equation as a second factor. Some banks may require users to input the code embedded on their bankcard or credit card when accessing systems, and others may issue physical token devices that generate random pass codes. Still other solutions tap biometrics, such as fingerprints, to authenticate users.