Banks Increasingly Adopt Security as a Service

MBA (7/30/2008 ) Palaparty, Vijay
Sixty percent of U.S. banks expect to spend more on fraud and authentication in 2009, according to research from Gartner Inc., Stamford, Conn. However, the research also anticipates banks will implement many of these security efforts “as a service,” potentially saving money.
“Banks expect to spend more on fraud detection and customer authentication in 2009 than in 2008, and spending generally will be higher among the largest banks,” said Avivah Litan, vice president and analyst at Gartner.

Litan said 71 percent of large banks, with consumer deposits of more than $150 billion, expect to spend more. Nearly 20 percent of these banks expect spending to rise “significantly,” he said.

The Gartner report said security applications delivered as “cloud-based” services would have significant impact on the banking industry, tripling in many security segments by 2013. It defines cloud-based services as “massively scalable IT-related capabilities that are provided "as a service" using Internet technologies to multiple external customers.”

"The ability to provide massively scalable processing, storage and bandwidth inherent in cloud computing will require security controls and functions to be delivered to customers in new ways and by new service providers," said Kelly Kavanagh, analyst at Gartner. "It will also allow security technologies and techniques that are cost-effective to be used only with cloud-style computing.”

Cloud-based computing enables banks to obtain more enterprise security controls or functions on demand, Kavanagh added. “Enterprises often struggle to justify the expense of security controls or functions that are needed to respond to unanticipated or infrequent events,” she said. “Cloud computing, however, can make these types of services available at short notice, at the scale appropriate to address the threat.”

Banks reported that compliance with regulations was most important to them, scoring the factor 6.58 on a scale of 1 to 7 in order of importance. Improving fraud prevention scored 6.26 and increasing consumer confidence scored 6.22. Larger banks ranked compliance at 6.76, improving fraud prevention at 6.67 and increasing customer confidence at 6.4.

"Compliance is still the main driver for fraud prevention and customer authentication projects, but 60 percent of surveyed banks already consider themselves to be compliant with the Red Flag regulations of the U.S. Fair and Accurate Credit Transactions Act of 2003," Litan said. “The general thinking in the industry is that banks must typically only formalize and document procedures they already have in place to prevent identity theft-related fraud.”

Red Flag rules require creditors to check for identity theft before they issue consumers or businesses credit. U.S. financial institutions and other creditors must implement the rules by Nov. 1.

Respondents identified online banking fraud detection as the most widely implemented fraud management system, followed by stronger consumer authentication on company web sites. Gartner said banks expect to strengthen caller authentication in telephone call centers, enterprise fraud detection across customer channels and accounts and fraud case management systems.

“Banks tend to consider their web channels to be more secure than their phone channels,” Litan said. “Nevertheless, in 2008, most banks say they will spend more money on web fraud detection than on call center fraud detection, which acknowledges that the web channel is generally more vulnerable when it comes to outright monetary theft or account surveillance.”

The research also said an increase in use of cloud-based services also means mobile IT users will access business data and services without crossing corporate networks. Gartner said security controls between mobile users and cloud-based services will become even more important as a result.

"Although perimeter security controls will be required to protect remaining data center functions and large portions of enterprise populations that are not mobile, new approaches will be needed to secure cloud-based IT services," said John Pescatore, vice president and analyst at Gartner. "One answer will be cloud-enabled security proxies, whereby all access to approved cloud-based IT services will be required to flow through cloud-based security services that enforce authentication, data loss prevention, intrusion prevention, network access control and vulnerability management.”