Technology Rebuilding confidence in financial services through robust cyber security strategies By Tim Elliott and Yemi Saka Rebuilding confidence in financial services through robust cyber security strategies To reignite growth and rebuild security threats have become an customer trust, many financial executive management issue, not services institutions are putting just a technical problem, as they a greater emphasis on digital affect operational continuity and channels such as mobile banking. can undermine the confidence of Success with these channels customers and business partners. requires not just a user-friendly interface but also airtight security This paper offers six steps that customers can depend on. to guide financial services executives in mounting a With many transactions now proactive, high-performance conducted over the Internet, and approach to cyber security. many automated tools available to hackers, financial services companies are more vulnerable to cyber intruders. Given the recent conditions of the financial markets and the tarnished reputation of the financial services industry generally, 2 A complex equation What portion of your customer base already interacts with your business online, and how fast are those segments growing? What new delivery channels are you considering for your financial services products? How will regulatory activity, acquisitions, or divestures affect your security strategy? How many of your teams are using a cloud-based application to share documents with a customer or vendor? Which of your software developers has recently used his credit card to provision a server on a cloud service? Are you certain of your ability to recover when a key data center suffers a cyber attack? Do you know which of your employees have run up a crushing load of debt or have another reason to turn rogue in your environment? Banks, credit card companies, customers show no desire to give Unfortunately, the Internet has insurance firms, and other financial up using branches, but at the same limitations on the level of security services institutions have invested time they show increased usage that it can provide when sharing heavily in information technology of direct channels; the growth in information, and thus may become over the past decade to improve use of mobile banking applications an easy target for malevolent use. competitiveness and productivity. barely lags behind that of smart Open systems, interfaces, and Most of these organizations have phone usage. In emerging economies, commonly used document formats become highly dependent on the mobile banking has even leapfrogged can propagate vulnerabilities if Internet for conducting transitions traditional banking channels. appropriate security controls are with their customers. The use of not applied and enforced. Many Internet services among customers and Tremendous benefits can accrue IT solutions are built and released employees has become more pervasive from open, distributed computing without the robust functionality now through a myriad of wired and wireless systems and the rich services offered required for enterprise-wide data devices used in the office, at home, by Google, Amazon, and others. And protection and privacy, particularly in cars and cafes – often bypassing digital channels offer potentially when projects focus on delivery the standard corporate security greater personalization at radically speed rather than security. controls and policy when connected lower cost – as long as customers to unsecure environments. Users trust the system’s security. Accenture’s Additional risks extend from are also requiring financial business 2009 Global Consumer Behavior incubating technologies, from applications to work seamlessly Study asked customers to identify the the marriage of interoperable across multiple environments and dominant factors in their relationships technologies that support cloud- devices including smart phones, with businesses. The top two factors based services, and from the new tablet computers, and kiosks. cited were “easy to do business frontier of social media platforms with” and “trustworthy”.1 That’s the (see sidebar, “Porous perimeters Customers want multiple access security challenge in a nutshell. of social networking websites.”) points and connectivity between them. In banking, for instance, 3 Porous perimeters of social networking websites Total Unique Percent composition of visitors to Visitors (000) Facebook.com by demographic segment 120,000 18.8% 18.7% 2009 Visitor Trend to Facebook.com, 100,000 MySpace Sites, Twitter.com 30.2% 31.6% 80,000 18.8% 60,000 23.0% 40,000 Facebook.com 32.3% MySpace Sites 26.8% Twitter.com 20,000 Dec 08 Dec 09 0 Persons: 50+ Source: comScore Dec 08 Feb 09 Apr 09 Jun 09 Aug 09 Oct 09 Dec 09 Media Metrix (U.S.) Persons: 35-49 Persons: 25-34 Persons: 24 & under Figure 1. Much of the growing traffic of online social networking Consider both the astonishing spread In another recent case, a hacker companies are themselves engaged and the particular challenges of named Kirllos has been selling in marketing and customer contact social networking sites. Nearly four Facebook user names and passwords. activities through these sites. out of five Internet users visited Researchers at VeriSign estimate such a site in December 2009, and Kirllos has sold almost 700,000 of Another concern for financial the activity now accounts for 11 the 1.5 million accounts he or she is institutions is how easily this type percent of all time spent online in the offering. The asking price: $25 to $45 of information could be used to United States, making it one of the per 1,000 accounts, depending on the steal identities of employees and most engaging activities across the number of contacts each user has.3 customers. Once an employee Internet, according to comScore.2 identity is compromised, intruders Other forms of malware tap users’ can take control of the employee’s Since the premise of social networking “100 things about me” postings to computer and slip inside the sites is to more easily and efficiently mine data that is typically used to network, as occurred last year share personal information, site users answer password-reset questions such at one major financial firm.4 tend to lower their guard. These sites as “What was your first pet’s name?” thus become attractive locations The most effective solution for the for illegal data mining and malware Once the security of an employee’s near term will consist of several insertion. One computer worm, laptop is breached through a social elements: employee and customer Koobface, has targeted Microsoft networking site, the company’s education about safe online behavior; Windows users of Facebook, MySpace, systems and infrastructure become security controls such as Policy Friendster, Twitter, and similar sites susceptible to cyber attacks. Yet Enforcement Agents or Network to gather sensitive information such blocking access to sites may not fully Access Controls on the end user’s as credit card numbers. Although address the problem. For one thing, device; and monitoring techniques social networking companies have employees can often access the sites that give an early alert on legitimate become more conscious of these through their own smart phones – breaches versus mounds of false threats, staying ahead of new on which they may also check their positives hiding these attacks. attacks is a major challenge. corporate email. Moreover, many 4 Many of these applications deliver been involved in security breaches • Zeus and Clampi botnets, which business benefits relatively quickly, since January 2005.5 Such breaches steal online account credentials but they often fall short of standard can have serious implications for with a focus on bank accounts, IT security policies and procedures. the enterprises involved, resulting in have gained in size and strength in Even networked photocopiers or fax fines, increased costs for remediation, recent months. Cheap ($700), and machines have their own Internet or temporary stock price drops. easy-to-use toolkits that hackers Protocol addresses that tend not The threat is particularly acute for can purchase to control botnets be secured in the same way as a financial services firms, given that are widely available online.8 computer desktop, giving cyber the storage and exchange of money attackers a path into the company. forms the core of the business. A Customer information of all kinds is So the attack surface has gotten few heart-stopping data points: also at risk as online shopping and much broader, from many more point-of-sale capture have become sources at home and abroad. • A May 2009 survey by Actimize widespread, forcing various industries found that 81 percent of financial to adjust as a result. Every merchant With greater dependence on web- services organizations expect that accepts credit card payments has based applications comes a far more an increase over the next year already experienced the considerable serious consequence of infrastructure in ATM/debit card fraud.6 cost and expense to strengthen compromises and disrupted operations protection against identity theft through data breaches, data loss, and • Computer hackers stole more and the resulting financial losses. non-compliance with government sensitive records in 2009 than in regulations or important industry the previous four years combined, standards – along with the potential with ATM cards and PIN information erosion of customer confidence. growing