Printer Friendly
Why It's Important: As data breaches continue to garner headlines, information security is becoming a competitive differentiator. But greater demand for access to client data -- both internally and among external partners -- for customer service, more outsourcing and stricter regulations on data privacy are making data security an increasingly complex task for financial service firms.
Where the Industry Is Now: Traditional security solutions, designed to protect the network perimeter or limit information access, do not address the challenges of providing security in today's dynamic Web 2.0 world. Protecting the network alone is no longer enough -- enterprises must protect their applications and data in transit as well. Meanwhile, with a host of financial firms recently suffering data breaches -- including TD Ameritrade, JPMorgan, Fidelity Investments and Ameriprise Financial -- identity theft and consumer protection now are a bigger priority than ever for state legislators. Boston-based Aite Group found that more than 200 bills focusing on the issue currently are pending at the state level (see related article, page 14).
Jegher notes that internal threats often are overlooked, however. "There is so much talk about phishing and identity theft coming from outside, but the biggest source of fraud comes from employees and insiders," he aserts. "There are millions of knocks on a company's door coming from outside but a low success rate. On the other hand, the number of knocks on the door from insiders is very low, but the success rate is very high." Companies need to carry out more background checks on potential employees, further limit access to data and use behavior analysis tools to monitor resources that employees are trying to use when they don't need them, Jegher says.
Still, external risks can't be overlooked. Matt Moynahan, CEO of Veracode, which assesses the security level of applications, points out that following mergers and acquisitions, companies need to carefully review the incoming software to ensure its security so that it does not put the enterprise and customer data at risk. "Buying insecure applications, service providers that don't have security, dealing with someone who doesn't know how to write secure code ... Wall Street must deal with these issues every day," he says.
Industry Leaders: Financial institutions generally are reluctant to reveal their security plans. One sell-side institution that has announced an enhanced focus on security, however, is St. Louis-based Scottrade, which is enlisting its customers in the battle against fraud. The online brokerage recently struck a partnership with McAfee to provide its 1.6 million customers with free security software. It also is boosting security on its own systems by taking a proactive layered approach to security that includes identifying suspicious activity and stopping intrusions.
Technology Providers: The security space is a busy and dynamic one, with a plethora of vendors to choose from. Some of the most well-known include RSA, Bit Armor, Veracode, Rocket Software, TraceSecurity, Core Security and Vontu.
Price Tag: A study commissioned by Colchester, Conn.-based law firm Scott & Scott highlighted the potential massive cost of a data breach: 74 percent of organizations that suffered a data breach reported a loss of customers, 59 percent faced potential litigation, 33 percent faced potential fines and 32 percent experienced a decline in share value. Chief security officers nevertheless complain that their organizations don't budget enough for security since it takes away from corporate resources. However, Deloitte & Touche's recent annual survey of security practices at 169 financial institutions found that 98 percent spent more on information security in 2007 than in 2006.
