We live in a world of trust. We want to believe that everyone is good, and Ozzie and Harriet live next door. Unfortunately this world does not exist -- especially online. Many of us take data security for granted -- we use the same passwords, we don't encrypt our WiFi routers and we don't shred our financial statements -- in this day and age, this is insane.
Hacking has evolved from a teen prank to a major criminal enterprise that prods every security gap to find ways to rip off not only large financial institutions, but also individuals. These are not fly-by-night enterprises; these are crime syndicates that systematically corrupt insiders, exploit weaknesses, phish and dumpster dive to find sensitive information and rob people blind.
But how do we secure our infrastructure in an age of seamless connectivity, Wi-Fi, open access, data fabrics and shared services? And as we extend our infrastructure through edge computing, Web services and ubiquitous connectivity, one doesn't need to be next door to be a Peeping Tom. So how do we defend this infrastructure?
Traditionally, data security was protected by perimeter defenses such as private connectivity, hardened data centers, card keys, fire walls, encryption and password authentication. These tools, however, are not enough. Leased lines are too expensive, not all access points or technology is in the data center, and the Internet provides access not only to firms, but also to almost all technology within them. People also have so many passwords that they need to write them down. How safe is that?
From an outside perspective, security is more than the perimeters. We need to think about security at every point in the technology chain. Infrastructure defense needs to be thought of as concentric and isolated spheres that not only surround core assets, but insulate them from outside influences as well.
We need to think about security from the inside as well, since a majority of the security breaches are perpetrated from there. We need to implement technologies that know what employees are allowed to view, do, access and send. And if these rules are broken, compliance must be notified and empowered to act -- whether it is against a money transfer clerk, the head trader, the lead banker or the corner office.
But how do we get the budget to reengineer security? Security traditionally has been a non-ROI-based investment relegated to audit or compliance. Today, however, the investment criterion is different. With high-profile disruptions such as CitiGroup's closure of its ATM network in Russia, the U.K. and Canada, budget dollars will be easier to secure. No financial institution wants to be the poster child for lax security.
Security issues also are raising client visibility as we begin to see security promoted as an online feature. Recently, Bank of America added phishing protection, and Schwab and E*Trade are promoting fraud guarantees. These offerings will become common, if not standard, for financial firms trying to allay their clients' security fears.
But providing online security is not enough. As we move into the second online decade, we need to rethink how we manage technology security. We not only need to embed identity, authority and protection into virtually every piece of hardware, software and data we develop, deploy or implement, we also need to rethink how to manage our personal financial identity information; otherwise, our safe and protected lives will spiral into turmoil. And while Ozzie and Harriet may be a dream, it is certainly much better than the nightmare of Tony Soprano with my Social Security number. <<<Larry Tabb is the founder and CEO of TABB Group, the financial markets' research and strategic advisory firm focused exclusively on capital markets. Founded in 2003 and based on the interview-based research methodology of "first-person knowledge" he developed, TABB Group ... View Full Bio