The board was dumbfounded. Only six individuals were on the circulation list that detailed its confidential deals, and yet details of the company's acquisition plans were appearing on a Yahoo notice board within minutes of being distributed. This was not only embarrassing — it could land them in hot water as the firm was listed on the US stock market. It seemed a little too "James Bond", but someone suggested that they use a little counter-intelligence to try to get to the bottom of it. The decoy message leaked too, but it gave them a lead. The source had to be internal. Sure enough, a disgruntled employee with network clearance was doing the cutting and pasting.
This scenario is just one example of a security nightmare, and not a high-tech one at that. But it illustrates why security tops the list of board concerns in banks.
Phishing is probably the most visible problem at the moment — it is a version of identity theft, achieved most commonly by targeting the customers of banks with e-mails, as if from the bank, asking for logons and passwords. Its success lies in the fact that it only takes a fraction of one percent to oblige the perpetrators. Pretty much all banks have found themselves targets in the last 12 months, including no less an august institution than the Bank of England. Software has been sourced to China, Nigeria, Brazil, Russia, and former countries of the Soviet Union; it involves elaborate scams, covering three continents, which suggests to experts the likely involvement of global crime syndicates.
And customers are not wising up: the percentage of individuals fooled by fraudulent e-mails has risen from 0.1 to 0.5 percent in the last six months which — when spread over, say, one million online customers — translates into 5,000 individuals giving account details away.
How much should security cost?
When phishing is put alongside malicious software, hacks, blended attacks, and so on, then it is obvious that this is a battle that ultimately cannot be won. To date, companies can only take reactive measures against external security threats, like patches and firewalls. These systems do not anticipate attacks but respond to known attacks. So the unexpected is always a risk.
Putting it another way, security is potentially a spending black hole. So what should financial organizations reasonably spend on countermeasures? The average investment will peak at 8 to 12 percent of IT budgets by 2007 in Europe, according to researchers at Meta Group. "Security teams must model overall investment to track parity with industry peers and account for the cost of satisfying compliance requirements for managing information risk," says Tom Scholtz, vice-president with Meta's Security & Risk Strategies advisory service.
But more can be done than just spending. The key is to ensure that business managers understand the technical language of IT — or rather, that IT can speak the language of business risk. People need to know what impact security might have: if a virus is likely to take down the call centre for a period of time, that can be translated into a certain loss; alternatively, benchmarks can be set for the maximum rate of system outages that the bank can stomach with plans implemented to reduce it to a desired level.
For now, hackers, virus writers and more sophisticated outfits are one step ahead. They will not surrender their lead without a fight. However, you can be smart. Beyond the basics of up-to-date antivirus software and firewalls:
- IT should deploy active systems that scan networks for suspect activity.
- Security systems should be integrated: if the antivirus system detects a virus that is known to open up a backdoor, then the firewall needs to know about it.
- IT managers need to learn how to explain the nature of the risk to business managers.
IT security may be alarming but it is still just one risk amongst many that financial services face, and it is not necessarily the worst.
