A revolutionary new paradigm in ePrivacy for Banking and Financial Services

The Challenge
Over the past several years, security and business best-practices for the financial services industry have dramatically evolved. Today, a day-in-the-life of a financial IT security professional is dominated by concerns about security, data loss, privacy, compliance and risk management. Add to this the explosion of eBusiness and on-line banking, and the result is a whole new set of challenges for banks, securities firms, insurance companies and other financial institutions.

For today’s IT security teams, the proliferation of more and more costly and complex security point-products has created a vicious cycle that seems to have no end. New point-products may fix yet another inherent security gap, but they also create even more resource requirements, administration overhead and help-desk calls.

And, because privacy, data loss and accountability matters, there are also compliance requirements. A host of legislative initiatives over the past decade have led to a series of new regulatory laws which add to the pile of existing information security challenges. Regulations like Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), 16 Code of Federal Regulations (CFR) and Basel II all require enhanced security and privacy while raising the legal and financial stakes for organizations and enterprises that fail to meet the standards.

Given these constant challenges, one has to wonder if these security gaps and holes ever really end. When you think about it, most security solutions take a band-aid approach – focusing purely on trying to fix inherent gaps in the public Internet infrastructure and protocols. Unfortunately, more and more security band-aids doesn’t necessarily allow you to securely and efficiently conduct business in ways that are more revolutionary and deliver higher-impact. What if there was a better way?

We’ll get to that, but first let’s take a closer look at some of the compliance, data loss and cybercrime challenges facing the financial services sector.

Data Breaches and Data Loss
Preventing data loss or theft is now a board-level issue. Not only is the company’s brand and reputation at stake, but there is the potential for severe regulatory penalties due to data loss. Given the general fear and apprehension on behalf of companies to report it, statistics vary as to the extent of data loss. Nonetheless, several recent high-profile public instances of data breeches and loss have made global headlines. Just this year, a security breach at Hannaford Bros. supermarket chain exposed more than 4 million card numbers and led to 1,800 cases of fraud. In 2007, T.J. Maxx, CitiGroup, U.S. Veterans Administration, University of California, Gap, Pfizer, and many others all had major data breaches.

No organization or enterprise is immune to data loss, as the following facts outline:

• 282 existing data privacy regulations exist around the world
• The typical Fortune 1000 financial institution leaks sensitive information and loses 1 laptop everyday
• An independent 2007 study in the Journal of Computer-Mediated Communication found that more than 1.9 billion records were exposed between 1980 and 2006 – an average of nine records for every US citizen
• Over 85% of data loss incidents are due to insiders
• 75% of those are due to accidental behavior, or failure of security & privacy processes
• 2/3 of Americans have had their personal information exposed
• According to the Ponemon Institute, disclosure costs in the event of a breach can approach $200/record – while business recovery costs are far higher

Based on the data, it is largely accepted that insider threats pose an equal or greater risk than outside threats. Of those, data-in-motion – most specifically email – was the most significant contributor to internal data loss. The real risk of email data breaches by internal threats is highlighted in a recent US study that found companies estimate that nearly 1 in 5 outgoing emails (19%) contained content that poses a legal, financial or regulatory risk. In the study, the most common form of non-compliant data (30%) was email that contained confidential or proprietary business information.

Research published last year by Datamonitor provides even more insight into the internal state of data policy at over 1400 large organizations around the world. The results included the following:

• 84% of respondents said their organization has a policy regarding the treatment of sensitive information, including shredding (69%), locks (47%) and passwords (51%)
• 21% of respondents admitted to leaving a confidential or sensitive document on a printer or fax tray
• More than a quarter of respondents (26%) do not shred confidential or sensitive documents when they have finished with them
• Nearly 9 out of every 10 respondents (88%!) use company email to transfer customer data outside of their organization.

So, given the staggering amount of data breeches and data loss occurring in today’s business environment, why is it that so many organizations still do not have effective solutions and controls in place to stop it? In many cases, one need only go as far as the available security solutions to find the answer. High cost and complexity, excessive administration, and lack of scalability and control are all real hurdles to implementing effective data and privacy protection in the enterprise. And, for those organizations that took the leap and invested in data security and encryption solutions, buyer’s remorse is staggeringly high.

Regulatory Requirements
Financial institutions of every shape and color are grappling with the mandate to meet certain regulatory laws and requirements. At the same time, internal audits for regulatory requirements represent a continuous strain on IT and security & risk teams. Over the past several years, the number of new regulatory laws has increased dramatically, with over 280 worldwide laws focusing on data privacy alone. These laws require enhanced security and privacy while raising the legal and financial stakes for enterprises that fail to meet the standards. For financial services organizations, meeting these requirements (and passing regulatory audits) hinges on the ability to demonstrate controls and processes that protect sensitive customer information against threats to security, confidentiality and integrity. Two of these requirements – Gramm-Leach-Bliley and Sarbanes-Oxley Acts – are regulatory heavyweights for the financial services industry.

The Gramm-Leach-Bliley Act (GLBA) – known as the 1999 Financial Modernization Act, GLBA requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to ensure the confidentiality and integrity of customer records and information. In addition, Section 501(b) of GLBA establishes high-level privacy and security requirements that financial institutions must comply with.

Sarbanes-Oxley Compliance – resulting from the high-profile Enron and WorldCom financial scandals, the Sarbanes-Oxley Act (SOX) was established in 2002 to bring about accounting reform and provide investor protection. SOX covers issues such as auditor independence, corporate governance and enhanced financial disclosure to reinforce investment confidence and improve the accuracy and reliability of corporate disclosure. Data security breaches, for example, could indicate gaps or weaknesses in controls that must be disclosed under Section 404 of the SOX Act.

For IT security teams, meeting GLBA and SOX will mean; 1) identifying and assessing security risks, 2) restricting access to their networks, 3) implementing controls to protect sensitive information, 4) preventing malicious or inadvertent disclosure of personal and confidential information and 5) protecting against reasonably foreseeable vulnerabilities. Threats such as spyware, sophisticated keyloggers, botnets, network worms, web-based viruses, phishing attacks and data theft are some of the biggest threats to insurance and financial services companies. These malware applications may be inadvertently installed by employees and can go undetected for extended periods of time, resulting in a continuous ouflow of confidential customer, personal or organizational data to malicious third parties.

The Dangers of On-Line Banking
Tens of millions of consumers now bank on line. A recent set of reports from Javelin Strategy and Research reveals that 42% of customers new to online banking would prefer to have the primary form of bank communication be email. However, even though bank notification email is expanding rapidly, many banks are wary of its broad deployment. This is likely due to the fact that attacks on email are on the rise. As of September 2007, only 9 of the top 25 U.S. card issuing banks used email alerts for password changes on the account.

An August 2007 MessageLabs Intelligence Report highlights the threat of botnet attacks, which spread rapidly across thousands of individual computers. These botnets mine contact lists and send spam and viruses back onto the Internet. The report also states that, currently, 1 in 174 emails contains a phishing attack. Yet, in spite of the risky aspects of email in online banking, many banks are leveraging email alerts and notices due to customer service and market-driven requirements. Banks are also leveraging email due to the fact that it represents the most effective ‘push’ method available for timely account notifications.

In general, most banks have adopted a hybrid solution for delivering online banking services, which include:

• Secure web services (HTTPS), that incorporates content encryption for viewing account activity online, and
• Cleartext (un-encrypted) email for deposit, payment and other notifications

Unfortunately, highly organized cybercrime has taken advantage of the weaknesses in public email systems. As a result, phishing and other cyber-fraud have grown commensurately. According to a report by the US Government Accountability Office, more than $50B in cybercrime losses resulted from online banking fraud in 2006. So how are cyber-criminals exploiting the hybrid approach outlined above? The email address is the culprit.

An email header contains sender and recipient email addresses – that is, the routing information required to move the email packets over the Internet. This means that cyber-criminals and harvesters can plainly see the bank name, the account holder’s email address, and the email subject heading. Spammers and phishers have little interest in the HTTPS-encrypted content on the web side. Rather, to fraudsters intent on phishing, the profiled email address is much more valuable. For those phishing campaigns that successfully result in the disclosure of a victim’s account number and PIN, all start with a hijacked email address.

So, for lack of a better notification method, email addresses are freely harvested for more and more spam & phishing. This vicious cycle can only be halted by making the email address and content completely private, and safe from harvesting.

A New, Revolutionary Approach to IT Security and Privacy
What if you could?

• Leverage the Internet as a trusted online banking and eBusiness resource?
• Make sensitive email, identities and documents totally invisible to hackers, spammers, phishers and data thieves?
• Effortlessly meet regulatory requirements like SOX, GLBA, 16 CFR and HIPAA?
• Dramatically increase efficiency and work-flow, while cutting costs for inefficient manual processes?
• Deploy a cost-effective and green IT security technology?

The WebLOQ ePrivacy Solution
WebLOQ provides a fully secure, easy-to-use ePrivacy solution that is ultra-simple to deploy, legally compliant, and impossible for cyber-criminals to break. With one simple download you can begin building a totally private eBusiness or Internet community with whomever you choose – including customers. And, unlike anything available today, WebLOQ works on any operating system, any email client, any platform, and over any internet connection. The unique WebLOQ solution combines proven encryption technology with revolutionary privacy protection that is totally transparent to all end-users.

The result is a powerful IT security and ePrivacy application that empowers any financial services organization to deliver secure and private services, stop data loss, improve operations, reduce costs, automate critical processes, and meet regulatory requirements. By focusing on the broader issue of privacy – in addition to security – WebLOQ ePrivacy solutions allow users at any technical level to meet the rigorous requirements of today’s highly competitive and regulated eBusiness environment.

WebLOQ’s unique ePrivacy features: 

• Combine revolutionary technology with unrivaled ease-of-use & plug-and-play functionality
• Include flexible and scalable hosted SaaS and on-premise ePrivacy solutions for enterprises and SMBs of all sizes
• Deliver end-to-end information security, data-in-motion privacy and on-demand compliance reporting.
• Provide industry-standard encryption and key exchange technology that is completely transparent to end-users
• Reside behind any standard email client
• Work with any hardware or operating system – including PDAs and Smartphones

WebLOQ is independent from all of the following:

• The public Domain Name System (DNS)
• Internet Corporation for Assigned Names and Numbers (ICANN) Top-Level Domains (TLDs)
• 3rd-party certificates
• Internet Service Providers ( ISPs), Telcos, Cable and other carriers
• The transport layer and all connectivity
• Operating systems and platforms

To assure privacy and security, the WebLOQ ePrivacy Solution incorporates:

• WebLOQ’s revolutionary private domain naming scheme (i.e. customer@safebank.private). This means that not only is client confidentiality protected with encryption, but messages cannot be routed outside the WebLOQ private eBusiness community
• Guaranteed end-to-end message privacy – achieved through the use of multiple cryptographic algorithms
• Fully transparent dual-layer encryption – WebLOQ private email, including the packet, attachments and packet header, is automatically double encrypted

Our vision is to make the Internet and eBusiness a safe and legally compliant place for individuals and businesses. Our goal is to build secure and trusted private communities where businesses and individuals can easily communicate and exchange information – no matter how sensitive – with other known and trusted individuals and businesses. To learn more, or get your free WebLOQ ePrivacy trial, visit us at www.webloq.com/home.