Top Ten Cybersecurity Trends for Financial Services in 2012


cybersecurity.jpgBooz Allen Hamilton, a consulting firm serving federal, nonprofit and commercial clients, recently had this report on the top ten financial services cybersecurity trends for 2012: 

  1. The exponential growth of mobile devices drives an exponential growth in security risks. Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
     
  2. Increased C-suite targeting. Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
     
  3. Growing use of social media will contribute to personal cyber threats. A profile or comment on a social media platform—even by the CEO’s son or sister—can help hackers build an information portfolio that could be used for a future attack.
     
  4. Your company is already infected, and you’ll have to learn to live with it—under control. Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection—the focus of cybersecurity tactics increasingly must be to analyze, detect and expunge threats inside your system.
     
  5. Everything physical can be digital. The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
     
  6. More firms will use cloud computing. The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing.
     
  7. Global systemic risk will include cyber risk. As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets.
     
  8. Zero-day malware (malicious software) and organized attacks will continue to increase. Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today.
     
  9. Insider threats are real. The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat (APT) and other attacks. Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
     
  10. Increased regulatory scrutiny. Recently, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.

For a full copy of the report, click here.

New Guidance Raises the Bar for Bank Internet Security


it-security-article.pngOn the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”  The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.

Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.

Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.

A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.

U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).

That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.

Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.

No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.

An example of an extra layer would be email notifications to the customer every time payments are requested on the account.

At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.

Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.

The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.