Fending off intruders is usually a job reserved for the military or police, but it's a task that Robert Garigue knows well.
Garigue, vice president of information security and chief information security officer at Bank of Montreal, is responsible for overseeing security across the vast array of business lines at BMO, including its full-service brokerage, BMO Nesbitt Burns, and its recent acquisition of online-discount broker CSFB Direct.
As security head, it's his job to ensure that the firm carries out penetration testing, conducts intrusion detection and generally keeps an eye out for intruders.
"For me, this is not new," he says of vulnerability analysis and intrusion detection. Before joining BMO, Garigue worked for the Canadian armed forces where he learned about the "whole notion of information warfare" and "how you use information in conflict."
"A lot of organizations are looking for ways to verify their security," he says, and penetration testing is one way of accomplishing that. However, for many financial institutions, it's still a relatively new concept. "It's something you should be doing every day," he says, adding that "verifying your configuration is up to snuff" is only half of the challenge. The other is using the data from such testing for trend analysis to improve your infrastructure.
When it comes to security issues in financial institutions, they are taking on a more prominent role, notes Jonathan Gossels, president of SystemsExperts, a Sudbury, Mass. firm that advises financial institutions on security and technology.
Five years ago, he says, the title of chief security officer was "almost unheard of; now it's relatively common."
Traditionally, responsibility for ensuring the security of technology assets fell to network administrators, under the rubric of the chief information officer. However, with the rise of the Internet, and electronic transactions, there's a greater focus among financial institutions, and their customers, on protecting sensitive information from falling into the wrong hands. That has given rise to specialists within financial firms, like Garigue, who are given the task of overseeing security.
Garigue explains that when it comes to dealing with security in a financial firm, it's all about "risk management." One of the things that "keeps me awake at night" and which he thinks will be one of the bigger challenges is, "How do we ensure there is no ID theft?" The industry has already seen the dangers around that.
In April 2001, Wall Street was shown how extensive attempts are to penetrate its systems when police arrested two men accused of trying to steal millions of dollars from the brokerage, bank and credit accounts of celebrities such as Oprah Winfrey, Ted Turner and George Soros. According to media reports, one of the accused at the time of his arrest had a copy of Forbes magazine's annual report on America's 400 richest people. Written in the margin was some of the wealthy individuals' sensitive information, such as account balances, account numbers and home addresses.
Authorities were alerted after Merrill Lynch received an e-mail requesting that it transfer $10 million from the account of Thomas Siebel, founder of Siebel Systems, to an Australian account. That would have caused an imbalance so the brokerage contacted him and found he never made the request. Further investigation detected similar requests involving other accounts.
It's an incident such as this that emphasizes the need for financial institutions to examine security, experts say.
Gossels recently surveyed his financial-institution clients on the 147 security-related projects they have underway. So what's keeping chief security officers awake at night? He found that the leading project was testing Web sites for their vulnerability to hackers. "Companies are slowly but steadily progressing on intrusion-detection testing" and deploying intrusion-detection technology, says Gossels. As well, the technology is getting more sophisticated in looking for anomalies and filtering those detections to the right person via alerts.
Nonetheless, he says, some of it might be for naught, because while the technology can generate reports and provide telltale signs about activity, "nobody is looking at the reports and firms are not keeping signature files current to look for the latest attack. This is a surprise, given how much effort and attention is being paid to security these days." Gossels says he's also surprised at "how few firms actively engage in preparing themselves for a cyber attack" and the lack of "incident preparation. It's not a major planning exercise," he says, noting that three or four people can bang together a two-page plan on what to do if there is an incident, but it's "amazing how few companies even do that."
Other security projects that firms are undertaking, he says, include perimeter testing, "security audits of one sort or another," a review of security infrastructure and a look at security of ASPs and issues around integrating them into existing environments.
Security is also becoming an important part of budgeting, Gossels says, noting that spending on security ranges between 10 and 15 percent of IT budgets. "It really depends on the company."
E-mail is also an area that is garnering more attention. That's certainly the case for Wendell Hutsell, assistant vice president of technology at Ameritas Investment Corp., a national broker/dealer. Hutsell recently installed the latest in technology, an encrypted e-mail system that cloaks firm communications with its clients and representatives.
"We take security and privacy very, very seriously," says Hutsell, whose firm has more than 1,200 reps operating across the country.
Because his firm deals with "sensitive information ... it's extremely important to protect that info both from a corporate and personal perspective."
Hutsell says that he is less concerned that somebody is sharing a "hot tip" with outsiders than he is with outsiders "finding out John Jones is worth $2 million," referring to a hypothetical client. "If that info gets out, you have a very high potential for a lawsuit."
Hutsell's not alone in his concerns about unauthorized access to information. It's a topic that is keeping more and more security experts at financial institutions awake at night and is capturing the attention of top-level management, especially with the passage of laws like the Gramm-Leach-Bliley Act.
It imposes on financial institutions an obligation to protect the privacy rights of customers and ensure the security of non-pubic personal information.
The legislation limits disclosure of information to non-affiliated third parties and calls on financial institutions agencies and regulators to set standards to insure the security and confidentiality of customer records and protect against unauthorized use of such records or information.
"If you're caught sending client information insecurely, it could be very bad for your firm," surmises Kurt Larson, chief technology officer at Fetter Logic, Inc. in Denver.
Larson says he sees "a lot of scanning attempts" by intruders to "see what you have" in terms of security protection. "There's a lot of that going on which people don't know about." As well, with e-mail, it is often routed to servers across the country and a firm can never really know "who has been reading their e-mails. It's what you don't know that's going to hurt you. These days e-mail is like sending a post card, probably even worse. It's very insecure."
With e-mail taking on the roll of the killer application and becoming ubiquitous, he says, it's critical for firms to address security of their e-mails. That can be difficult for smaller firms, which are" afraid to even get e-mail."
John Ryan, chief executive officer of ZixIt, notes that his system uses public-key infrastructure to encrypt e-mails so that only the proper recipient can read them. "What we help people do is protect the confidentiality and privacy of communications externally."