The financial services industry deals with a commodity that is primarily electronic — money. Consequently it spends more per employee on IT than any other industry. Despite this, there is a worrying tendency for information that should be confidential to end up in the public domain. Why is this and what can be done?
QUOCIRCA BRIEFING January 2008 Banks and data leak prevention Contacts: Banks are an obvious target for data thieves-how can they be stopped? Bob Tarzey Quocirca Ltd Tel +44 1753 855794 The financial services industry deals with a commodity that is primarily electronic-bob.tarzey@quocirca.com money. Consequently it spends more per employee on IT than any other industry. Clive Longbottom Despite this, there is a worrying tendency for information that should be confidential Quocirca Ltd to end up in the public domain. Why is this and what can be done? Tel +44 118 948 3360 clive.longbottom@quocirca.com The financial consequences of data theft for banks are direct and indirect When a customer?s money is stolen electronically, the onus is on the bank to compensate. The bank can also face fines if the loss is caused by careless data management on its part and publicity can lead to brand damage. Banks have to share data and it is often not a bank itself that is responsible for data leaks Consumers get caught unawares by email scams, businesses are careless with BRIEFING NOTE: customer information and public sector bodies, with which banks are obliged to This briefing has been share information, have proved to be reckless in the way they handle data. written by Quocirca to address issues faced by Banks need to review their IT infrastructure financial services Ultimately, for thieves to achieve their goals they need access to financial organisations with regard to data loss. services and products that the banks have ultimate control over. Strict management and auditing of all IT assets is essential. The report draws on Quocirca's knowledge of The software development process needs rigorous quality control the technology and business issues faced by Examples are on record of backdoors being built into banking systems by rogue banks and other financial developers. Testing and auditing must be exhaustive and carried out using services companies and dummy, not real, customer data. provides advice on the approaches that can be taken to prevent data Processes need to be well defined and audited leakage. The way in which data and transactions are handled internally needs to be governed by strong processes. Those responsible for weak processes or those During the preparation of this report, Quocirca has who ignore strong ones must face the consequences. spoken to a number of end users, service providers Education and awareness needs to be driven by banks and vendors and is grateful Banks need to keep up awareness campaigns for consumers and encourage best for their time and insights. practice amongst their business customers to prevent data leakage. Quocirca would like to thank Symantec for its The level of potential risk is not going to decrease sponsorship of this report. New financial products, such as e-wallets and the continuing growth of internet shopping and other online services, will mean more and more opportunity for would-be thieves. In order for this growth to continue, people need to have more confidence in the way their financial data is being managed.
An independent briefing by Quocirca Ltd. www.quocirca.com Banks and data leak prevention Page 2
Financial services, IT and data security which a persistent hacker could probably work around. Financial services organisations (including banks, insurance companies, building societies and so The obvious downside for banks is money lost on, but referred to from here on as just "banks?) through theft, but it goes beyond this. There is spend more on information technology (IT) per compensation to be paid to customers who may employee than those in any other industry. Some become victims through no fault of their own and estimates suggest it is fines may be incurred for regulatory breach. Then more than double that there are indirect costs-such exposure can cause spent in the utility, customers to desert and share prices to drop, telecoms and public leading to further financial loss and brand sectors. damage: a real worry, especially for a trusted high street bank. Customers may lose confidence in There are a number of transacting electro... [download for more]
