Even as attacks grow more sophisticated, financial services firms must strengthen data security while improving the financial services experience and increasing anytime, anywhere access for clients, employees and partners.
Why It's Important: Financial firms increasingly have been under siege from hackers, not to mention the internal threat posed by rogue traders. Intruders earlier this year hacked Nasdaq's systems, leaving suspicious files on the exchange's servers and gaining access to highly confidential data on publicly listed companies, and the NYSE barely withstood an attack in October by hacker group Anonymous. Citigroup and the International Monetary Fund also were targeted by cyber criminals this year. In 2011, according to a Ponemon Institute report (based on the breach experiences of 51 U.S. companies from 15 industries), the cost of a data breach reached $214 per compromised record and averaged $7.2 million per breach. Malicious attacks were the root cause of 31 percent of the data breaches studied, up from 24 percent in 2009 and 12 percent in 2008. And one need not look beyond the headlines to understand the potential costs of insider fraud. In the meantime, the recent hacker wave has prompted calls from the White House and the SEC for more stringent data protection laws.
Where the Industry Is Now: Cyber experts warn that financial institutions have inadequate defenses (due in part to the financial crisis). "In the past year, the biggest challenge or the most insidious threat has been from malware packages," says Ben Knieff, director of product marketing at security software firm Actimize. "They can allow a hacker to gain access to corporate resources and look as if they are a legitimate portal user."
Meanwhile, the sharp increase in use of personal smartphones at work has created a vulnerability and led to a dramatic rise in attacks. Mobile phones have seen a sudden rise in "smishing," in which attackers send SMS messages with a link attached, urging a user to check out a picture or a game. When clicked, the link downloads malware onto the phone. The rise of mobile apps also has led to a wave of new attacks, as users rarely check out an application developer's credentials before downloading an app, which could, if left unchecked, download malware on a phone.
Focus In 2012: In addition to proven IT security methods -- such as penetration testing, in which a firm asks a "white hat" hacker to attempt to break through a firewall; one-time passwords; and access management controls -- firms are looking to new security technologies and methods, such as hardening endpoint security. Many vendors are focusing on behavioral activity, trying to understand how and when users typically use their computers and perform transactions; if any activity deviates from the norm, the system sends an alert.
A number of vendors offer "hardened" browsers that execute only certain files or lock down which websites a browser can access. "They can flush out any attempt to install malware," explains Knieff. But the end-user experience can be awkward, discouraging use -- often, end users must insert a USB key into their computers to utilize a hardened browser.
Other vendors are focusing on security automation. When an attack or breach is suspected, new systems, such as Guidance Software's EnCase solution, automatically trigger a forensic response, including exposing, collecting, triaging and remediating data related to threats. On the mobile front, firms are increasingly putting the same security controls on mobile devices as on laptops. Vendors also are experimenting with the opportunities that smartphones provide, including front-facing cameras, which would enable iris recognition, for example.
Industry Leaders: According to a Gartner Research poll of 76 U.S. banks, two-thirds planned to increase spending on fraud-detection and authentication systems in 2012. Nasdaq recently raised its cost projections for 2012, attributing a $25 million to $30 million increase at least partly to an increase in information security costs.
Technology Providers: Providers of network and data security solutions include Actimize, Guidance Software, IronKey, Virtela and many other specialized providers.
Price Tag: The cost of an effective security platform depends on a firm's current technology and risk, but it can range from tens of thousands of dollars to millions of dollars. Before devising a data security strategy, banks first must assess their risks and the potential consequences of a breach; then they must assess their existing tools and controls to identify weak points. The price tag on holistic fraud prevention includes external expenses (i.e., vendor software and implementation services) as well as internal development/integartion costs.