The human touch

Although you might think that network security is a problem inherent to the fast-paced advance of technology, your data is far more at risk from manual transactions with dodgy waiters or companies losing laptops. FST talks to Eric Holmquist about this.

Financial institutions have always been vanguards of technological advance, pushing development of faster, more sophisticated systems and applications to make their processes as efficient as possible. This rapid technological advance is cited by some as the Achilles heel of financial services, but for others, there are other more potent threats. “I would agree that technology does advance,” elaborates Eric Holmquist, VP of Risk Management at Advanta Bank Corp. “But this advancement isn’t necessarily revolutionary. We went through a major paradigm shift with the incorporation of the internet into business operations, but beyond that, the advances we see are just a continuing evolution of technology. Banks have become very resilient in responding to threats that have a technology base, plus we have such a high regulatory standard that we’re expected to protect our infrastructure.”

The security of data in financial services has been a key issue for some time. The Gramm-Leach-Bliley (GLB) Act of 1999 requires financial institutions to ensure the confidentiality of its customers’ information. The Federal Trade Commission (FTC) issued the Safeguards Rule as part of its implementation of the GLB Act, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. As well as being required by law in financial services to safeguard information, it makes good business sense. The mature security processes that financial institutions have in place mean that their networks enjoy better resilience against data loss. So how come data security is still so key?

Contemporary media is rife with stories of stolen laptops, private information accidentally being posted in public domains, hard drives disappearing. According to the Privacy Rights Clearinghouse/UCAN (www.privacyrights.org), since January 10th 2005, the total number of records containing sensitive personal information involved in security breaches in the US is listed at 104,067,495. This number is likely to have risen since this magazine went to print. Hundreds of consumers whose information has been compromised have also been victims of some form of identity theft.

Holmquist agrees that this is where the threat lies. “Breaches of security or issues at large in financial institutions are usually caused by human error: a tape gets misplaced, or a laptop lost. There’s nothing you can do systemically to protect against that. It just happens. More banks are starting to encrypt their backup, and encrypt their laptops. But the prompting element with all these measures is not the advancement of technology: it’s the human element.”

Holmquist is more concerned with these than any issues with technology outgrowing itself, looking to “third parties and those further down the food chain when it comes to protecting information, like at the merchant level. These are companies that don’t have the resources for the same kind of information security program. There’s much more liability at those levels than inside the bank itself.” Take for instance the Payment Card Industry (PCI) Data Security Standard, which, Holmquist points out, is not yet enforced at the merchant level. He goes on to underline the fact that almost many of the data breaches that have occurred recently have happened at third parties and merchants.

The compromising of information to be used in identity theft is a huge issue, which is only becoming greater. Recent surveys show there are currently about 9 million victims each year. But how can financial services ensure that their data and networks are kept secure? “You can’t,” says Holmquist. “Anybody who tells you otherwise is trying to sell you something. You’ll never see a financial institution say on their website “we guarantee your data is secure”. That would be like an airline saying they guarantee your plane isn’t going to fall out of the sky. They can’t do that.”

There are no absolutes in this field, but financial institutions take every reasonable precaution to protect their data, states Holmquist, they “go through rigorous validation controls, third party reviews following industry best practices, but at the end of the day, if somebody decides they’re going to try to steal the data, they could. We have mitigating controls to reduce the impact of that, but nobody can guarantee the data is absolutely safe.”

A case in point is internet banking, which people are increasingly coming to trust as a safe way to conduct their business. “Online banking and online merchant services are some of the most secure transactions in the world,” confirms Holmquist. “That’s not where the problem lies. People are starting to understand that that is an extremely secure channel for banking, or online purchases. The problem is the more manual based processes where people are managing information and don’t follow procedure, or lose that laptop. You’re a hundred times safer engaging in electronic commerce online than you are giving your credit card to a waiter in a restaurant. That’s a much more likely course of compromising your information. There’s less understanding about online banking and online purchases, but as long as it’s with a reputable site there’s usually nothing to be concerned about there.”

Indeed, due to ever mounting regulations in financial services, it seems that automated transactions are almost safer than human interaction. Still some people in financial services are unhappy with the increasing level of regulation in the industry. Why is that? “Because regulations are almost always punishing the good guys for the sins of the bad guys,” explains Holmquist. “SOX was the classic example of that, there were a few bad eggs so now everybody suffers. Most regulations are reactive. There’s never been a piece of regulatory guidance that’s come out where we’ve said “that’s a good idea, why didn’t we think of that first?” Invariably we are already doing it, whatever it is. More often than not, regulators are reacting to a problem, reacting to troublemakers. If an institution is doing the right things and already has a well-managed program then they should already have those measures in place.”

In the case of regulatory guidance that has been drafted related to network security, virtually none of it has ever prompted any additional program at Advanta: “Mainly what it does is prompt more documentation. Don’t get me wrong, that’s not a bad thing. I’m a big fan of documentation as it does promote better practices, but in terms of spawning ideas of a new program you should implement, we haven’t really seen one yet.”

As banks implement increasing security measures, does this interrupt the flow of business for customers? “Not particularly,” Holmquist is adamant. “In fact, we have just been through the exercise of implementing stronger authentication - as did most financial institutions - but it was largely uneventful, and customers seemed to appreciate we were taking greater measures to safeguard their information. We have not found that our security measures have been prohibitive or inhibitive of our business processes. In financial services, it’s just part of life. Technology is advancing, but most institutions that have a reasonable infrastructure are already resilient enough to be able to manage that. It’s a never-ending process, always trying to stay one step ahead of the bad guy. But that’s the game we’re in.”

Source: Javelin/Better Business Bureau Survey - January 2006