MBA (4/1/2008 ) Palaparty, Vijay
Regulations and high levels of reputational risk will keep information security a top IT strategic initiative for financial institutions, panelists said in a recent Financial Insights webcast.
Successful management requires strategy that encompasses governance, applications, systems and services, said Aaron McPherson, research director of payments and security at Financial Insights, Framingham, Mass.
“Financial institutions need to find a way to make the benefits of information security investments show up in business cases,” McPherson said. “Too often, they lose out to revenue producing initiatives, even though they prevent revenue losing events. There is also an urgent need for greater collaboration between financial institutions and the government, customers and among financial institutions themselves. Technology is only part of the solution. Social and organizational factors are at least as important.”
David Tompkins, partner at Performance Solutions International, Randolph, N.J., said that information security comprises only 3 percent of IT budgets and that it is too often considered as a cost and not an investment.
“Why aren’t financial institutions doing more?” Tompkins said. “Within the 3 percent, personnel, consultants, research and development costs are included. Because financial institutions consider it as a cost and not an investment, their goal is to keep its costs as low as possible. “
Tompkins saidinformation security applications are also viewed as complex and burdensome, straining network and system resources while posing challenges in deployment and maintenance. “There is a greater need to balance costs of information security with actual losses and reputational and regulatory risk,” he said, noting that the financial services industry is the most targeted industry for hackers.
Ninety percent of attacks target the financial sector, which heavily impact institutions’ reputational risk. “Reputation risk is high and most financial institutions consider this the largest risk associated with information security because of the intense media coverage that follows a data breach,” Tompkins said.
As consumer privacy and protection regulations increase, financial institutions are being more cautious while also focusing on exposure to third parties and conflicting regulations. “Third party breaches impact financial institutions,” Tompkins said. “The internet plays a greater role in financial services than it does in most other industries. The most successful banks are considered internet leaders. Therefore, the internet is a critical component of long-term strategic planning to lower costs and to increase integration with clients. But financial institutions must also deal with the negative perception of weak security in the online world.”
From a business perspective, financial institutions are relying more on the internet to store and process information. “While there is increased convenience for consumers and improved efficiency for businesses, IT has created more opportunities for criminals who are looking for this information,” Tompkins said. “Also, attacks are becoming more sophisticated—becoming more industrial and organized. There are increased costs of data breaches—investigation and auditing, customer communication and litigation—increasing public awareness—all add costs.”
To combat attacks, of which 75 percent originate internally, financial institutions are implementing internal policies and processes, along with staff education programs and background checks. Physical security measures in data centers and user authentication and authorization measures are also being implemented, Tompkins said. The internal threats were said to be caused by carelessness or internal fraud and theft.
To protect physical assets such as laptops and data tapes, financial institutions are responding with increased staff education, data encryption and hard disk-lock passwords.
“The weakest link doesn’t lie within the institutions,” Tompkins said. “It involves customers and third-party providers who share information. External threats include hacking and attacks on customers.” Financial institutions are implementing similar measures to ward off external attacks such as patch management, multifactor authentication and perimeter security.
“Security is becoming a C-level, senior executive issue,” Tompkins said. “There is a greater focus on governance—management structures—strategies, policies, procedures and standards—reporting and control assessments including testing and auditing. Financial institutions are also focused on adhering to industry standards and centralizing information security management.”
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment