The 5 Essentials of Banking Security in Tough TimesExperts: Keep a Sharp Eye on Compliance, the Insider Threat and Phishers
There is much in the news these days for financial institutions - and their customers - to consider. But at a time when consumer confidence in banking is at a critical juncture, so many of those aforementioned influences are outside of a banking/security leader's direct control.
But here are five factors you can control to ensure security and reassure shareholders and customers of your institution's safety and soundness.
1. Regulatory Compliance: Focus on the Basics
Bad economy? Doesn't matter to banking regulators. Even if your institution is affected by bad loans or investments and you're dealing with the aftermath, regulators will still be examining your programs for compliance - and you'd better be prepared, says David Schneier, Director of Professional Services at Icons, Inc., a risk assessment firm based in Princeton, NJ.
"There isn't very much room to maneuver or modify what needs to be done," says Schneier, who spends much of his time working with banking institutions on their compliance efforts. "GLBA compliance is still required to continue operating. We've heard nothing from the field thus far that indicates that examiners are easing up in any way, nor should that be expected."
In challenging times, the spirit of GLBA is that much more relevant ,particularly as market conditions deteriorate and people grow desperate. "Accordingly, information security practices become much more significant to ensure the protection of both customer/member data and the institutions assets," Schneier says.
Also at the top of the list for all institutions should be the ID Theft Red Flags Rule, which covers the basics of identity theft prevention and awareness programs. "This will provide the critical safeguards to ensure that potentially fraudulent activity is being identified and managed."
For more on regulatory compliance priorities at banking institutions - including what they're doing well and not so well -- listen to this podcast interview with Schneier.
2. Risk Management: Be Proactive
By taking a proactive approach to risk, Corporate One FCU in Columbus, OH managed to position itself to survive in this troubled economy.
"Corporate One's focus on managing risk developed long before these issues began," says Joe Ghammashi, Chief Risk Officer at the $5.16 billion corporate credit union. This is supported by the credit union's diversified investment portfolio. "Additionally, our appropriate pricing of risk has allowed us to build our capital base, as well as establish a strong earnings run-rate. We also have been proactive since last summer in developing and enhancing our liquidity sources. Consequently, we are not facing the issues that have hit other institutions."
The credit union's biggest challenge is perception - members' questions about the safety and soundness of all institutions. "We are making sure that our members understand that the assets we hold are of the highest quality and that we have ample liquidity to carry them for as long as we need," Ghammashi says.
Corporate One's work over the past three years on an enterprise wide risk management (EWRM) program has also paid off. "We integrated our business owners into the IT governance process and brought IT out of its silo into the environment of its business partners. We have adapted the COSO and COBIT frameworks to manage our systems, people and processes to, among other things, integrate technology and business together."
Ghammashi stresses it was critical for the credit union to have proactively engaged in these activities to position it in the solid position that it is in today. "It would be extremely difficult for someone to try and implement such a program at this time," he says. "The biggest challenge facing anyone attempting to implement EWRM is the difficulty in developing financial models that justify the incremental cost of EWRM. But when times are as difficult as they are today, it becomes evident that adopting sound risk management principles as a component at every level of the organization's business plan is critical for its survival."
3. The Insider Threat: Tighten Internal Controls
When it comes to fighting the insider threat, financial institutions fall into type A or B personalities just like most human beings, says Sai Huda, Chairman and CEO of Compliance Coach, a San Diego, CA-based compliance company backed by three of the nation's top 10 banks (Wells Fargo, Bank of America and Citigroup).
The Type A financial institution sees information security as a mission critical item. "At the Type A institution, security starts at the top with the board of the directors. They are very aggressive in complying fully with regulatory requirements and information security policies," Huda says. This is especially needed in the current environment where fraud is on the rise, and insider theft of information is at a high risk probability. The Type A institution focuses on insiders and asks who has access to what, why? They also focus on terminated employees. "Are they leaving with any confidential information?"
On the other hand are the Type B financial institutions that have a relaxed, laid back approach to information security. "They see it as something regulators require them to do, so they do it. They are not proactive. No news is good news. If there is no news of any breach, then everything must be okay with information security," says Huda. Their biggest failure is they are more trusting of insiders. They are focused more on outsiders. "It is business-as -usual with any layoffs. There is no enhanced scrutiny of practices to make sure insiders do not leave with confidential information," Huda notes.
Given the current economic conditions, insider theft of information is an increasing risk that all financial institutions face. Why? Because insiders have access to customer information and may be tempted to transport or sell for economic or vindictive reasons, especially if they are laid off from the financial institution. They also have intimate knowledge of information security policies and procedures and know what are the institution's strengths and vulnerabilities.
Here are three things Huda says every single financial institution should proactively implement to thwart the insider threat:
- Quarterly review of who has access to what and why. Tighten up and restrict access in light of increasing security risks. Focus on those business units that may have reductions in staffing in the next quarter.
- Take a very close look at employee termination procedures. What are measures in place to make sure terminated employees do not leave with any information?
- Whenever employees are terminated who had intimate knowledge of information security policies and procedures and knew the institution's strengths and vulnerabilities, revise the policies and procedures immediately to plug the holes. "Remember, a terminated knowledgeable insider can become your worst outsider enemy," Huda concludes.
4. Phishing, Fraud: Be Vigilant, Educate Customers
Criminals don't take vacations, and the business of fraud is growing, says Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis. "While banks feel contraction during the current economic challenges, the business of fraud continues to grow."
Now more than ever, it is critical to catch fraud as early as possible -- ideally, to prevent it before it occurs. "Since the Identity Theft Red Flags Rules is in place, many institutions are finding ways to bring their fraud and compliance systems together in a more formal way to fight identity theft," Geister observes. In addition, as banks evaluate their systems, many are starting to merge AML initiatives with their fraud and identity theft initiatives, she says.
Phishers are among those fraudsters who are as busy as ever, says John LaCour, CISSP, Director of AntiPhishing Solutions at MarkMonitor and contributing analyst to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report.
"Phishers seem inexhaustible," LaCour says. While the number of unique URLs declined by nearly one-third earlier this year due to lower Rock Phish activity, the actual number of attacks as measured by a combination of brand and phishing domain names increased 11 percent. "This indicates that traditional phishing is as strong as ever and increasing," LaCour concludes.
The number of brands being attacked increased by 7.6 percent, and financial services still remains the most targeted industry, according to the Phishing Activity Trends Report issued each quarter by the APWG. The group also reports crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in the first quarter to 6,500 sites, nearly double the previous high of November 2007 -- and an increase of 337 percent from the number detected in the first quarter of 2007. Institutions need to have a phishing takedown plan in place in the likelihood their brand is attacked.
To illustrate the growth in phishing attacks one only needs to look at a recent report released by Cyveillance, a information security research company that also provides takedown services for financial institutions. In the first quarter of 2008, Cyveillance reports it typically saw a daily average number of phishing attacks in the low-400 range. In October that average increased to more than 1,750, with record peaks as high as 13,209 in a single day.
During the first half of this year, the quantity and frequency of the attacks have steadily increased, averaging 400 to 500 per day, with spikes at times reaching nearly 1,000 per day. Though the summer of 2008 saw an overall slowdown in attacks, there has been a significant increase in attack volumes and frequency of spikes since September. Cyveillance researchers join those in the information security industry that say these increased volumes can be linked to many outside influences, the worldwide financial crisis and the phishers constantly changing direction and attack methods to avoid being caught.
Institutions need to have a phishing takedown plan in place in the likelihood their brand is attacked. Included in the plan should be how to communicate to customers. Put an announcement message on the website's front page. Give the facts to all customers, telling them about the phishing attack. Tell them what you're doing to stop it. Tell them to contact the institution when they receive any suspicious email or phone call purporting to be from the institution. Regular reminders on statement stuffers and in general correspondence will also educate customers to be wary of any unsolicited phone calls or emails.
TowerGroup's George Tubin sees no end in sight for these types of attacks against banking customers such as the increased number of phishing and "vishing" attacks perpetrated on a wide number of consumers across the country in the last three months.
Tubin, Senior Research Director, Delivery Channels and Financial Information Security at the Needham, MA-based research firm, sees that the current economic crisis hasn't dampened criminal efforts against financial institutions or their customers. "They're definitely not taking a pity break or slowing down their efforts. In fact, they are actually stepping up their efforts to phish for victims at merged banks and at other banking brands during these uncertain times," he adds.
Tubin recommends institutions remain focused on fighting fraud. "There's not a lot of room to move. Criminals are still trying to exploit banks, so it's not an area that banks can take a breather on," he observes. While other areas of the institution may face cutbacks in their budgets, Tubin sees that institutions will keep spending in the security and fraud space. "With every month that passes, the criminals get better at what they do. They work on refining their attacks, get rid of what doesn't work and then increase what does work and then continue down that path."
The first issue that financial institutions should be worried about is fraud, says another risk management expert who works with financial institutions across the Midwest. "Fraud follows a basic triangle of 'Rationalization, Pressure and Opportunity.' And with financial institutions getting into trouble or merging and employees having the fear of getting laid off, losing their houses, etcetera, this opens up the pressure part of the triangle," says Ken Stasiak, CEO of SecureState, a Cleveland, OH-based risk assessment firm that focuses on the financial services industry.
5. Physical Threats: Protect Your ATMs
Schneier of Icons makes a final prediction that "old-fashioned holdups" will increase during these trying times. "The difference between what we're dealing with now versus 80 years ago is that whereas in 1927 there was a run on the bank to get your money out, the threat now is a run on the bank to get someone else's money out."
He observes that with so many digital pathways into and out of financial institutions, it makes it easy to forge financial documents, making the likelihood of fraud much greater. And then there is the prospect of targeting the unsuspecting ATM customer. "With ATM's in virtually every pocket of society these days, it's possible to see a marketable increase in good, old-fashioned criminal 'hold-em up' scenarios," Schneier says.
Institutions should begin reducing ATM crime and the increased threat of physical crime via a two-pronged approach. First and foremost is education. All financial institutions have pamphlets and programs designed to educate their customer/members regarding ATM safety (e.g. pulling the locked door closed behind you, counting your money after leaving the area, etc.) and they need to make sure this gets put out in front of their audience again, says Schneier. Second is a physical deterrent such as video cameras, sufficient lighting, un-obscured placement (move those shrubs), security mirrors (to see behind you) and functioning locked doors. Remind customers at drive thru ATMs to always make sure that the car in front of them has cleared the lane, don't put the car in park (keep it in gear and a foot on the brake) and to check side-view and rear mirrors before initiating the transaction.
Regarding robberies at teller windows, there's already training available providing clear guidance on steps to be taken, Schneier says. But financial institutions need to be more aggressive in conducting their training drills and perhaps increasing their frequency. It's also important that they think beyond only training the tellers. "In one institution recently, a non-business person was discussing how they often pass through the lobby and wouldn't know what to do if they encountered a hold-up," Schneier says. "Considering that all it takes if for one person to react inappropriately to send things out of control, this is an important consideration. All of the institutions employees need to know what to do."
Lastly, Schneier advises vigilance is the best control to have when dealing with the threat of criminal activities. "Knowing when someone or something appears out of place, knowing what to do about either a potential or confirmed incident is the surest way to navigate through the event."