Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM
Andrew Waxman
Andrew Waxman
Connect Directly

In Data Security Battle, Banks Need a Slingshot to Fight the Hackers

Large banks focused on securing firewalls find themselves outmatched by relatively tiny armies of hackers, writes Andrew Waxman of IBM's consulting practice.

As you read this article, most likely on a mobile device, you could unwittingly be opening the way for cyber invaders. Maybe it was an email sitting in your inbox that you clicked on, maybe a link to a new business article or journal. And suddenly the walls of your enterprise— the walls that you have spent billions of dollars to secure with software and services—have been beached in the blink of an eye.

Andrew Waxman, IBM
View Larger
Andrew Waxman, IBM
Malcolm Gladwell in his book, "David and Goliath,” recently highlighted the somewhat counter-intuitive idea that in a clash between a David and a Goliath, the odds are generally stacked against the bigger, more highly favored opponent. Goliath is slow and lumbering, blinkered in his vision and rather hard of hearing. He has also has a rather outdated weapon at his disposal. Like Goliath, the modern large enterprise is slow; slow to react to changes in the business environment. It is also hard of hearing and updated information from clients and employees may not reach the ears of senior managers who can influence decisions made by the company. Furthermore, a combination of sunken investments and conservative thinking may delay decisions to invest in modern tools. Now contrast that with a small attacking force, the David in this encounter that has but one objective, to bring down the larger one. It dedicates its energies to that one goal and can take full advantage of modern weaponry to do so. This small opponent can change the message and have it understood by all its network members instantly. Today banks find themselves under siege from organizations dedicated to steal data, individual identities and account information and disrupt customer services. Like the US and Al Queda, vast entities find themselves outmatched by relatively tiny organizations.

It is unusual these days for a week or even a day to go by without publicity of a security breach at a large bank or retailer and it feels like this game has changed both in terms of the significance and the nature of that risk. The greater significance attached to data security can be seen in two ways. First of all, the publicity surrounding recent data breaches at large banks, retailers and credit companies has been richly deserved. There have been massive breaches and they have upended the assumptions made by customers when they transact in the most basic, everyday ways.

Second, in yesterday's world, the security of a bank's IT network was generally the domain of IT security chiefs, today, however, it is the CEO who owns it and is publicly responding to it. The issue of today is not just compliance with the regulatory control compliance framework but the loss of real assets, customers, data and revenue.

The elevation of data security’s importance has been brought about by the revolution in the ways we transact, conduct and manage business. Customers access their accounts online as a matter of course, often on-the-go via a bewildering array of devices. The same is true of employees. We already take this for granted but it is a massive change and it has taken place in the blink of an eye.

Large US enterprises on the other hand have typically designed their IT security strategies around the paradigm of employees accessing a single IT network from enterprise compliant computer devices. While the network was frequently breached by viruses, worms and the like, such breaches incurred limited damage and created minimal reputational damage. This was because online customer transactions and account data were far less ubiquitous and so harder for an intruder to locate and steal from. Companies nevertheless started to make bigger investments to shore up their networks. Robust firewalls were put up to stop intruders from entering the network and virus software was installed. These investments focused on a view of the enterprise as a single network with a centralized command and control center.

Today those seeking to infiltrate a company's information assets, customer accounts, sales information and so on have many potential points of entry from unsuspecting customers and employees that can easily bypass a central firewall. Focusing on the firewall is rather like focusing on a missile defensive shield when terrorists are leveraging civil airliners. The Goliaths of today need to get a slingshot.

The key to turning the tables in this battle revolves around two key components; data and education. First, companies need to go through a process of identifying their data and their customers' data which is critical to protect. Once that critical data is identified, analytics should be built around how, when and who accesses the data. For instance, when does a customer typically access his or her account, from what device, what type of transactions are executed, how much for and so on.

For an employee, the analysis is similar, which employees touch this customer's account information and to perform which function? Understanding these normative patterns helps identify unusual activity that could indicate a breach has occurred. Investment in tools, people and processes that can detect deviations from such patterns of behavior is critical if companies are to move from defense to offense on this issue. Second, education of clients and employers continues to be of major importance and is still far from effective. Companies need to invest much more heavily in both data analytics and education on this issue if they are going to stop playing Goliath to the hackers' Davids.

—Andrew Waxman is a consultant in IBM’s US financial risk services and compliance group. The views expressed here are his own. Andrew Waxman writes on operational risk in capital markets and financial services

Andrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are those of his own. As an operational risk manager, Andrew has worked at some of the ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters