Employees Key to Protecting Member Data

thePoint
June 3, 2005

After spending billions of dollars on firewalls and other security features to keep intruders out, what some financial services executives are beginning to discover is that the greatest threat to protecting customer data, the institution's financial details, and even its competitive strategies, is their own employees, reports Bank Technology News.

Guillermo Kopp, VP of cross-industry research at TowerGroup, says "companies are still struggling with basic [protections from external threats] like firewalls, electronic attacks and virus protection." But he expects interest in internal security measures to increase rapidly, especially proactive tools that do more than report on security breaches, but prevent them from happening in the first place. He predicts bank spending on these technologies will grow five to ten times what it is now over the next three years to perhaps $1 billion or more.

Internal security protocols pivot off three main areas: a bank's financial information, customer information, and employee entitlements. With these in focus, a bank can then write specific business rules. If done right, the bank will benefit, according to Kopp, by avoiding financial damage, being more efficient, and being more transparent.

Some security tools block after-hours network access, or monitor e-mails for suspicious words. Other more-cutting edge tools actually stop an e-mail with certain information from leaving, or fingerprint documents so they can't be e-mailed, printed, or faxed. In other words, instead of telling a bank a breach has occurred, these newest technologies aim at stopping the information leak from ever happening, then generating a report so executives can investigate. Business rules can thus work interactively with security protocol.

There is much room for improvement. A recent Ponemon Institute survey of financial and nonfinancial companies found that 69 percent reported serious data leaks due to either malicious or non-malicious employee errors: 39 percent involved confidential business information, 27 percent involved personal information about customers, 14 percent involved intellectual property including software source code, and 10 percent involved personal information about employees.

The leakiest part of a company's internal security seems to be instant messaging and e-mail. According to a cross-industry risk assessment study, one out of every 500 e-mail messages contains confidential information, customer data, employee data, financial information, intellectual property, or competitive information. In other words, a company with 50,000 employees, each sending 10 e-mail messages outside the company per day, would incur nearly 1,000 potential data security violations every day. Typically, about 40 percent of those violated internal policies, while 60 percent were a regulatory breach.

Breaches often occur for no other reason than an employee is ignorant, or is trying to do his or her job quickly, or is trying to satisfy a customer or partner. For instance, hitting the reply button on an e-mail with an imbedded document could send information to the wrong parties. E-mailing customer data to a home office to work over the weekend can also compromise data; a technology vendor or outsourcing partner might request certain information they shouldn't have; or a broker might communicate through an unprotected channel, such as IM, out of convenience for the customer.

Like virtually every technology initiative in banking today, there is a compliance driver. Thanks to Gramm-Leach-Bliley, Sarbanes-Oxley and the Patriot Act, regulators are fixated on a range of thorny information issues. Bank examinations seem to be getting tougher, with the feds no longer content just with what technologies and business rules a financial institution has in place, but how they are enforced.

For this reason, the audit reports generated by many security vendors are key, not only for financial institutions to monitor and benchmark their own performance, but to show to regulators. Financial institutions are not just motivated by compliance issues, of course; there are their own business rules to consider. After all, there is no federal law saying a bank employee cannot share his company's competitive strategy with outsiders. There is no law that says tellers should not be allowed to log into their account after hours. There is no law that junior IT employees cannot be given unfettered access to the bank systems and passwords.

Even so, a financial institution has obvious reasons for having business rules in place to block such activities. Indeed, without training, even the best technologies are likely to be frustrated, or at least put to the test more often. The simple act of reminding employees that there is a policy and they are being monitored is enough to quell a great deal of internal security breaches whether inadvertent or not.

You also want employees to know the ramifications. Financial institutions with strong security programs generally emphasize two themes. The first is never share your password with anyone, because if you do and it's used for illicit purposes you're going to take the fall. The second is that under no circumstances should you e- mail customer information.

This article was prepared by the staff at the Point for Credit Union Research and Advice and is published online at http://thepoint.cuna.org/. Reprinted with permission.