Data insecurity threatens trust

Trust is the foundation of any good relationship, and has never been more evident or more vital than in the relationship between financial institutions and their customers.

Without the confidence that their financial information is protected, consumers will be less likely to use online services. This directly impacts cost-cutting initiatives, which, for years now, have been a key goal in increasing the use of online services. Securing a financial institution's network environment can be a challenge, especially given the sensitive and highly valuable information collected and maintained by financial institutions.

The number of breaches reported for 2010 so far has increased sharply compared to 2009. Less than four months into 2010, there have been 23 financial institution breaches costing millions of dollars. There's a common perception that external hacking and insider theft pose the most risk; however, accidental exposure and loss of data have been the most common trends to date.

These breaches were pervasive across organizations both large and small. Data breaches typically encompassed the loss of records that contained names, addresses, dates of birth, Social Security numbers, and personal account numbers. The causes of these breaches range from an individual hacking into the financial institution's network, to a disgruntled former employee attempting to take key client data, to a current employee having their laptop stolen out of their office. Regardless of the means by which the data is lost or stolen, ultimately the people most affected are the unsuspecting customers.

Financial institutions that have acknowledged data breaches in 2010 include:

*The Securities and Exchange Commission: A laptop was stolen that contained names and Social Security numbers.

*John Hancock: A CD containing the account and Social Security information for 1,085 customers was lost by a partner within the organization.

*US Bank: A laptop containing sensitive customer information was lost.

*Wells Fargo/Wachovia Bank: Social Security numbers and bank account information for 953 customers were lost.

*Citigroup: Approximately 600,000 customers received their taxes with their Social Security numbers printed on the outside of the envelope.

*ING Fund: Social Security numbers and bank account information for 106 customers were accessible via a common search engine.

*HSBC: Approximately 24,000 accounts were compromised as a result of theft by a former employee.

*SunTrust Bank: Hundreds of bank accounts were compromised as a result of ATM skimmers.

Many institutions fail to report breaches. Why? The answer is simple: It's bad for business. These institutions understand that the hefty cost associated with reporting a breach - loss of reputation, decrease in customer confidence, and lack of trust - ultimately will negatively impact their bottom line.

 

COMMON ATTACKS

Myriad attacks are carried out on a daily basis. Common attacks include:

*SQL injection: Many Web pages leverage SQL commands to look through database information; since many SQL systems have un-patched vulnerabilities, the attacker leverages these weaknesses to inject a command that can extract valuable customer data.

*Advanced persistent threat: These attacks are highly successful and rarely detected by normal security measures like antivirus and intrusion detection software. They are highly technical and highly successful, and typically leverage the latest technology and social engineering techniques against employees in order to breach the network.

*Phishing: These are typically performed by hackers who attempt to gain access to information by misleading people into believing that they are from legitimate enterprises, when they in fact are not. A typical attack would be an e-mail from what appears to be a financial institution, asking for passwords, Social Security numbers, dates of birth, and account and credit card information.

*Distributed denial of service attack: These are typically an effort to make computer resources (i.e., Web sites) unavailable to their intended users. A typical attack would consist of saturating the target site with so many communication requests that the site can no longer respond to legitimate traffic, rendering the site effectively unavailable.

*Keystroke loggers: These are the result of malicious software downloads that capture and then transmit to an external entity any information that is typed on a keyboard, such as passwords and other sensitive data.

These attacks are becoming more frequent and, in most cases, becoming more sophisticated and difficult to detect.

 

PROTECT WHAT YOU COLLECT

In an effort to address and ultimately decrease the risk of data loss, multiple federal and state agencies have put in place laws, regulations and standards, and penalties, including:

*Red Flag Rules (prison time and $10,000 fines per incident);

*Federal Financial Institutions Examinations Council (prison time and civil lawsuits);

*National Credit Union Association (prison time and civil lawsuits);

*Payment Card Industry Compliance (fines potentially in the range of millions of dollars);

*Fair and Accurate Credit Transaction Act (prison time and civil lawsuits); and,

*Gramm-Leach-Bliley Act (prison time and civil lawsuits).

The regulations, by design, give institutions some flexibility to design and implement security-based controls that are appropriate given the nature, size and complexity of the organization. So why do so many organizations fail to adhere to the rules and regulations? There are a number of reasons:

*Cost: Many institutions do not have the time or money to implement programs that would ultimately protect data.

*Moving target: In addition to federal regs, many states have adopted more stringent rules. These change on a regular basis and, in some cases, without much publicity.

*Volume of data: Financial institutions' records not only maintain customer data, but also include information regarding dependents, beneficiaries, and current and past employees. Accounting for and restricting access to all this can be difficult, especially in complex operational environments.

 

THE COST OF DOING NOTHING

In December 2009, the CSI Computer Crime and Security Survey was released. One of the most intriguing statistics was that the average cost associated with a single breach that included data loss was $234,000.

As threats intensify and regulations increase, it is imperative that strong security controls are in place to ensure that digital transactions and communications are secure, that compliance with laws and regulations is achieved, and that customer trust and company reputation remain intact.

The increased frequency of attacks, in conjunction with the cost associated with rectifying the situation, can be alarming. In order to mitigate the risk associated with an attack, every organization should consider performing the following:

*A company-wide risk assessment;

*IT security reviews;

*Penetration testing;

*A review of malware protection;

*A vulnerability assessment;

*Data sensitivity reviews; and,

*Business impact analysis.

Each of the concerns documented above should be taken into consideration when planning and securing key customer data. In order to mitigate the risk associated with the loss of consumer data, financial institutions should implement strong security controls. These controls will comfort the consumer and continue to build and maintain trust. Greater customer confidence decreases customer turnover and increases transaction volumes, resulting in increased revenue for financial services providers.

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY