Impact of Information Security Trends on Financial Institutions, Part 3
If we analyze the impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on financial institutions than any other organization.
If you study the security issues surrounding information technology dependency, you will see that this is one financial institutions' weakest security areas . Although this type of dependency is an up and coming trend in most industries, it is not new for financial institutions. This is because financial institutions are able to automate most services and operations. E-banking is reshaping the way people and organizations do business, and new services based on e-banking and electronic processing capabilities are created and deployed at very high speeds. Many of these services could not be created and maintained without the information technology infrastructure that exists today, and if this infrastructure was to fail, these institutions would be unable to function.
Institutions batch processes have also been upgraded to real time operations. Consequently, some of these processes need to be working constantly in order to provide availability for operations. These operations will soon be more critical as electronic processes and services replace their manual counterparts (the few that still survive).
Additionally, decrease in speed to exploit vulnerabilities is another trend that has had a significant impact on these systems availability. Massive propagation of threats like viruses and worms take advantage of improvements in exploit developments. Worms like Blaster and the more recent Zotob have shown the importance of having effective security controls to deal with these threats.
The current trend towards faster exploit development cycles also mean that reactive security controls (i.e. those implementing blacklists, also called negative logic security controls) have become less effective. This is because they rely on previously known patterns. Therefore, those controls need to be regularly updated in order recognize any new threat. Only then are they capable of stopping certain types of attacks. These updates need to be accomplished by vendors who have the capabilities to identify the threats, create detection signatures, and distribute them. Further, financial institutions then have to update these controls. No matter how fast vendors and institutions are at completing this update cycle, the fastest worms and viruses will always be ahead of them. Patching the vulnerabilities that these types of malware exploit is also much slower.
While some companies can afford to have a few infections each year, accepting this risk is simply not an option for financial institutions.An institution's high level of dependency on Information technology, real-time batch processes speed, and constant availability of many banking services makes these threats a critical security risk. The potential impact that a single infection might have on a critical server (no matter how small the infection is), could cause serious operational damage.
Unfortunately, financial institutions are some of the most heavily affected organizations by targeted attacks. The steady increase of e-banking systems attacks through Phishing is alarming. Phishing poses serious problems for institution's security strategies because some Phishing attack techniques are hard to detect. This is because certain techniques never involve the institution's infrastructure, they effected through infected through outside sources. Vulnerabilities of computer systems, and the personal property of customers and employee data, pose a large risk for institution's operation. A customer's PC canâ€™t be protected by the financial institution, but the institution canâ€™t ignore this threat. If a customer's entrance to these systems from their personal computer is not secure, everybody loses (except the bad guys). This need for multiple layers of security drive the cost of these services higher.
Cyber criminals also look for vulnerabilities within the organizationâ€™s systems. Hackers targeting organizations are shifting towards application level attacks, and in an institution's case, there are many custom made applications. This is because have a very specific need to provide custom services to their clients. It is therefore essential that institutions pay attention in securing and auditing those applications properly.
Regarding security controls and services, we know that the market in general is demanding. Information security professionals often search for easy to manage, low cost solutions that are able to provide protection to a wide number of systems. This is done even if some degree of security is sacrificed. That is why many current security controls are based on negative logic (i.e. blacklists), so that they are easier to adopt by the organizations.
Therefore, many institutions need an almost complete redefinition of their security processes and functions. The good news is that in the end, implementing stricter controls and procedures will not only allow institutions to comply with Sarbanes-Oxley and Basel II Accord, but it will also provide these institutions with a more robust security architecture (i.e. a more efficient way to select, implement and manage security controls). The bad news is that timetables are tight and many institutions are rushing to comply with these legal requirements.
Many institutions also realize that consumers are demanding more security options for e-banking and electronic transactions involving services (e.g. credit/debit card on-line payments and electronic transfers of funds). Many customers are willing to pay for the increased cost of these solutions. Therefore, there is a genuine opportunity to consider security as an investment (i.e. there is a ROI, in security controls that answer specific customerâ€™s requests for secure services). Customer awareness is also an important factor for electronic transactions. An example of these standards is SET, a standard designed to stop fraud and bring more security to electronic purchases over the Internet. However, the adoption of such standards has not been as successful as expected. SET, for example, was ignored by both institutions and electronic stores, since it made online payments cumbersome and costly. Yet, it is expected that with increased consumer awareness this will change, and new security standards will eventual turn into a competitive advantage, or might even become an essential component of electronic payments.