For companies in the financial space, educating their customers is all about preparations, understanding risks and budgeting for the future. As regulators demand even more from this sector in the face of increasing ID thefts and other cyberthreats, financial services companies would do well to heed some of their own advice during the coming year.
"Security within the financial services sector is undergoing a fundamental transformation from invisible to unapologetically obvious," says Jonathan Gossels, president of consultancy firm SystemExperts. "Previously, product managers of online financial services shied away from introducing security technology or imposing security requirements on end-users out of fear that raising security as an issue would dampen acceptance of the electronic channel. An increasingly security-aware user community, highly publicized incidents of disclosure of personal information, and regulatory pressure have combined to catalyze a fundamental change: Users are comforted by well-integrated security measures."
Despite this seeming change in end-user "expectations and acceptance of security measures," which ultimately help financial institutions to better "protect their customers, business partners and themselves," these companies still need to go a lot further, he says.
"Most of the highly publicized disclosures of personal information have been the result of data that was lost in storage rather than hijacked in transactions. Security pros within the financial services sector have historically focused on the front-end transaction and have paid little attention to the entire data life cycle," explains Gossels. "It is not surprising that the policies governing the back-end are routinely being shown to be inadequate."
And besides end-user and customer expectations, regulators have some newer ones as well.
In addition to conforming to mandates set forth in the longer-standing Gramm-Leach Bliley Act (GLBA), companies in this space must ensure they are addressing Payment Card Industry (PCI) standards and the Federal Financial Institutions Examination Council (FFIEC) guidelines surrounding two-factor authentication. Compliance with these and other regulations that might affect a financial services company are a major ongoing priority.
"The regulators measure me on GLBA," says Dave Cullinane, CISO of Washington Mutual. "We provide health insurance to our employees so have to contend with HIPAA [Health Insurance Portability and Accountability Act]. We use COBIT for SOX [Sarbanes-Oxley Act]. We use PCI for cards. I know I will need to be ISO27001 certified at some point. There are more than 32 state laws on customer notification and five pending in Congress. There are also three laws pending in Congress calling for more stringent security controls and advocating that another group, like the Securities and Exchange Commission, set security requirements. I'm spending money on mapping to regulations that could be better spent on security controls."
Compliance with these regulations, especially for the financial sector, is far from a nice-to-have — it's simply required whether presented in the guise of guidelines versus directives.
"Banks have been told that we have to be ‘in substantial conformance' with the FFIEC guidelines by the end of the year," says Cullinane. "Non-conformance will likely result in fines and reputational risk impacts that no financial institution can afford to take."
On the flipside of potentially high costs is the practicality of the rule, says Gossels. Specifically, FIL-103-2005 of the FFIEC guidelines allows some major flexibility to organizations offering internet-based financial services in choosing a multifactor authentication system. Plus, it requires a risk management approach, which many financial companies enlist now. Too, the rule doesn't require all banks to deploy more traditional and, some would say, difficult to deploy technologies.
On top of compliance demands, the bad guys are still out there and they're continually studying up. Threats are simply growing more sophisticated with each day, says Cullinane.
Of course, such expertise is leading to more and more targeted attacks, which is driven by the possibility of big rewards, he adds. And, depending on the attack vector, and its length and overall intensity, such an assault can be crippling to companies. On top of this, there's the problem of finding help.
"The FBI is not going to drop a million dollar ID theft investigation to help you with your $50,000 phishing attack," says Cullinane.
This then illuminates the requirement for a lead security pro on staff and a strong security program, which is built on a standards-based framework. At minimum, says Cullinane, such a program should look to GLBA for governance and oversight, in addition to the PCI Data Security Standard for technical guidelines. The better route, he says, would be a combination of GLBA and ISO 27001/17799, parts one and two.
During the development and enrichment of such a program, companies also have to look at their possible risks. So, one can't avoid the "stupid human tricks" we've all engaged in, says Gossels.
"The recent CitiGroup phishing incident subverted a token-based authentication solution," he adds. "In many cases, education and security is more effective at preventing account fraud and identity theft than technology."
On SOA technology
According to Jonathan Gossels: