As technology budgets loosen on Wall Street, security procedures tighten to fight the increased wave of information attacks at financial firms.
In addition to larger pocketbooks, firms also have larger security demands, pent up over years when security spending was neglected, points out Jonathan Gossels, president of SystemsExperts, a Sudbury, Mass.-based computer and network security-consulting firm.
Yet, in an environment where firms still don't have enough cash to spend on large-scale security implementations, where can a firm begin?
Gossels advises firms to address security on an individual-business-case basis. "What is important to the business? What is our critical data? What systems need to be protected? What regulatory requirements do we have to comply with?" he suggests asking. "Know what you want to accomplish, then put programs in place to make it secure," he says.
One challenge that remains a scene-stealer is the evil network virus. When using commercially available software, vulnerabilities are inevitable, explains Allan Woods, vice chairman and chief information officer at Mellon Financial. "It requires a significant investment to be able to figure out what software has what vulnerability," he adds. "Getting patches and putting them in are expensive and dangerous."
A positive vendor relationship helps achieve effective patch management, advises Jim Hyatt, a Vanguard Financial principal for planning and development. "You can buy a virus-protector package, but you don't know what the new virus or malicious code is going to be," he says. "Make sure [the vendors] are working on finding out what the new viruses are and what new codes can protect you." It is also important to ensure that they will proactively distribute patches once new vulnerabilities are discovered.
Another area many firms are beginning to address is wireless security. Since many companies had no wireless-technology strategy in the past, employees have bought a heterogeneous mix of devices. "Because a company doesn't own them, it doesn't know how to connect the devices, how to introduce them internally, or what to do if one is left behind somewhere," says SystemsExperts' Gossels.
Gene Fredrickson, vice president of information security at Raymond James Financial, has implemented a wireless-security solution from Oldsmar, Fla.-based Fortress Technologies. He says the solution can support multiple platforms, from Palm PDAs to network computers. "It's a diverse environment, but we couldn't mandate that everyone throw everything away," he says.
Other firms are opting to stay out of wireless altogether. Hyatt notes that Vanguard does not allow any non-Vanguard devices to be attached to the network, and the firm does periodic drive-around searches for wireless signals.
While some traveling employees are granted permission to use Vanguard-issued remote devices, Hyatt explains that the firm is pacing itself. "We're paranoid," he adds. "Before we release it, we have to have it under control."
Data accessibility and entitlements are a third area that many firms are focusing on. Mellon's Woods cites an industry statistic that about 70 percent of all network intrusions occur within a firm's secure internal firewall. For this reason, he says, every PC at Mellon comes with a 15-minute time-out feature, reducing the chances that unauthorized users could access the information.
Woods also stresses a need for a corporate-security culture. "There's a lot of support at the top of the house for security that cascades down," he says, adding that information security should be a part of every employee's initiation and discussed in newsletters and via employee-awareness campaigns. While security projects may not have a visible return on investment, Woods says that the nature of the industry requires constant attention to the endeavor. "We're in a business that's largely built on our customers' trust, and that drives our investment," he says. "Our customers deserve that kind of protection."
Top Security Projects Last Year
Prioritizing Security Projects
Jim Hyatt, principal for planning and development at Vanguard Financial, chooses security projects using a traffic-light schema:
Red - needs highest level of attention
Yellow - needs moderate attention
Green - under relative control
For example, a new program such as Vanguard's system for monitoring data storage and ownership is designated as red. As the program is fine-tuned, Hyatt says, it will move down to a yellow or green label.
On the other hand, remote access to Vanguard's network is currently designated as green. However, green can move to yellow quickly with the introduction of a new technology, such as a mobile laptop.
The firm also uses the traffic-light schema to rate third-party vendors or application-service providers. "We get to monitor across the firm and assign ownership," Hyatt explains. "The entire company knows how to read the dashboard. It's a powerful tool."