Stay up to date with the latest IT news and information affecting the world of finance with TechRepublic’s free Financial Services IT newsletter, delivered each Wednesday. Automatically sign up today!

The board was dumbfounded. Only six individuals were on the
circulation list that detailed its confidential deals, and yet details of the
company’s acquisition plans were appearing on a Yahoo notice board within
minutes of being distributed. This was not only embarrassing—it could land them
in hot water as the firm was listed on the U.S. stock market. It seemed a
little too “James Bond,” but someone suggested that they use a little
counter-intelligence to try to get to the bottom of it. The decoy message leaked
too, but it gave them a lead. The source had to be internal. Sure enough, a
disgruntled employee with network clearance was doing the cutting and pasting.

This
scenario is just one example of a security nightmare, and not a high-tech one
at that. But it illustrates why security tops the list of board concerns in
banks.

Phishing is probably the most visible problem at the moment—it
is a version of identity
theft, achieved most commonly by targeting the customers of banks with e-mails,
as if from the bank, asking for logons and passwords. Its success lies in the
fact that it only takes a fraction of one percent to oblige the perpetrators.
Pretty much all banks have found themselves targets in the last 12 months,
including no less an august institution than the Bank of England. Software has
been sourced to China, Nigeria, Brazil, Russia, and former countries of the Soviet
Union; it involves elaborate scams,
covering three continents, which suggests to experts the likely involvement of
global crime syndicates.

And
customers are not wising up: the percentage of individuals fooled by fraudulent
e-mails has risen from 0.1 to 0.5 per
cent in the last six months which—when spread over, say, one million online
customers—translates into 5,000 individuals giving account details away.

How much should security
cost?

When
phishing is put alongside malign software, hacks, blended attacks, and so on,
then it is obvious that this is a battle that ultimately cannot be won. To
date, companies can only take reactive measures against external security
threats, like patches and firewalls. These systems do not anticipate attacks
but respond to known attacks. So the unexpected is always a risk.

Putting it
another way, security is potentially a spending black hole. So what should
financial organizations reasonably spend on countermeasures? The average
investment will peak at eight to 12 per cent of IT budgets by 2006 in the U.S.,
according to researchers at Meta Group (a year later in Europe). “Security
teams must model overall investment to track parity with industry peers and
account for the cost of satisfying compliance requirements for managing
information risk,” says Tom Scholtz, vice president with Meta’s Security
& Risk Strategies advisory service.

But more can be done than just spending. The key is to
ensure that business managers understand the technical language of IT—or
rather, that IT can speak the language of business risk. People need to know
what impact security might
have: if a virus is likely to take down the call center for a period of time, that can be translated
into a certain loss; alternatively, benchmarks can be set for the maximum rate
of system outages that the bank can stomach with plans implemented to reduce it
to a desired level.

For now, hackers, virus writers and more sophisticated
outfits are one step ahead. They will not surrender their lead without a fight.
However, you can be smart.
Beyond the basics of up-to-date antivirus software and firewalls:

  • IT should deploy active systems
    that scan networks for suspect activity.
  • Security systems should be
    integrated: if the antivirus system detects a virus that is known to open
    up a backdoor, then the firewall needs to know about it.
  • IT managers need to learn how
    to explain the nature of the risk to business managers.

IT security
may be alarming but it is still just one risk amongst many that financial
services face, and it is not necessarily the worst.