|
The financial consequences of data theft for banks are direct and indirect
When a customers money is stolen electronically, the onus is on the bank to compensate. The bank can also face fines if the loss is caused by careless data management on its part and publicity can lead to brand damage. Banks have to share data and it is often not a bank itself that is responsible for data leaks.
Consumers get caught unawares by email scams, businesses are careless with customer information and public sector bodies, with which banks are obliged to share information, have proved to be reckless in the way they handle data. Banks need to review their IT infrastructure.
Ultimately, for thieves to achieve their goals they need access to financial services and products that the banks have ultimate control over. Strict management and auditing of all IT assets is essential. The software development process needs rigorous quality control.
Examples are on record of backdoors being built into banking systems by rogue developers. Testing and auditing must be exhaustive and carried out using dummy, not real, customer data. Processes need to be well defined and audited.
The way in which data and transactions are handled internally needs to be governed by strong processes. Those responsible for weak processes or those who ignore strong ones must face the consequences. Education and awareness needs to be driven by banks.
Banks need to keep up awareness campaigns for consumers and encourage best practice amongst their business customers to prevent data leakage. The level of potential risk is not going to decrease.
New financial products, such as e-wallets and the continuing growth of internet shopping and other online services, will mean more and more opportunity for would-be thieves. In order for this growth to continue, people need to have more confidence in the way their financial data is being managed.
Financial services, IT and data security
Financial services organizations (including banks, insurance companies, building societies and so on, but referred to from here on as just "banks") spend more on information technology (IT) per employee than those in any other industry. Some estimates suggest it is more than double that spent in the utility, telecoms and public sectors.
There are a number of reasons for this, but the most obvious is that banks deal with a commodity that is primarily information money, represented electronically. Every bank employee is an IT worker and every customer has to interact with banks electronically at some level be it a consumer withdrawing cash from an ATM or a business managing a new share issue; in banks the use of IT is pervasive. Retaining existing and attracting new customers requires a high level of confidence in the security of a bank's operations and this must include IT.
With all this electronic interaction comes risk. Most thieves are after one thing money and targeting banks is obvious because there is no intermediate commodity to be sold to get their hands on it. Why go to the effort of stealing alloy wheels off a car and selling them to raise money when, with someone's credit card details, a thief can start spending straight away? Why set up a drug smuggling network when, by using a botnet and well crafted phishing emails, people will just send you the details to access their bank account of their own free will? What's more, whilst many industries can keep their interaction with customers and partners to a reasonably small number of trusted entities, banks cannot. The very nature of the services they provide means the widespread sharing of confidential data. When a retailer loses a set of credit card transactions, it is the bank's money that is at immediate risk, not the retailer's goods. When the banking details of citizens are lost by tax collection agencies, again it is the bank's money not the government's that is at risk.
Worst still, sometimes such details are being passed from one organisation to another without the bank even being involved, such as the high profile case in November 2007 where the UK's tax collection agency (HMRC) lost the details for paying child benefit to millions of UK families in an internal data transfer on a disk.
|
