Managing the digital threat
By Andrew Pitcher and Paul O'RourkeThe proliferation of mobile devices and the growth in online tools and networks has been well documented, and the financial services industry has not been immune to this trend with an estimated 400 million people utilizing some form of mobile financial transaction within the next three years. Given this aggressive growth in digital financial services, l institutions that are embracing and shifting to digital channels for reasons of cost and better customer management must make security the centerpiece of any successful digital strategy.
The issue of security should not be taken lightly, especially when you consider that more than 300 million personal records having been compromised since 2005 and there have been dramatic increases in hacker activity in recent years. Now whilst this presents a growing and dangerous challenge for all organisations, it should be of greatest concern to those in the financial services industry given 90 percent of the records hackers have compromised, reside within this space.
Identifying the threat is the first step, but what can financial institutions do now to stem this rising tide of fraud and theft and reassure consumers of the safety of online and mobile banking? In Accenture’s view, they must build a proactive and comprehensive cyber security program that acknowledges how digital technologies are shifting boundaries and emphasizes cultural changes needed to guarantee greater security. Furthermore, institutions should focus on enhancing the security of applications, cost-effective identity verification, making mobile devices and platforms safer and exposing internal and external threats.
To win in financial services, simply participating in the digital channel is not enough. High-performance institutions will set themselves apart by implementing digital strategies that cater to consumer demands for greater speed and convenience while protecting the personal data with which they have been entrusted.
To reignite growth and rebuild customer relationships, many financial services institutions are implementing and emphasizing digital channels such as mobile banking. Success with these channels requires not just a user-friendly interface but also airtight security that customers can depend on. Unfortunately, the Internet has a host of security limitations, and many IT solutions are implemented without the robust functionality required for enterprise-wide data protection and privacy. Indeed, in the United States alone more than 346 million records containing sensitive personal information have been compromised since January 2005.
In 2009, computer hackers stole more records than in the previous four years combined, with 93 percent of the exposed records coming from the financial sector. In turn, two other overlapping trends have exacerbated security issues. The first is the increased enablement of the workforce through collaboration tools and new ways of interacting with the institution. The second is the move toward cloud architecture, which means some core processes (not just in the channel) may now become at least partially external to the firewall and thus create significant security implications.
Any breach can have serious implications for the enterprises involved, including fines, remediation costs and share declines. The threat is particularly acute for financial services firms, given that the storage and exchange of money form the core of their business. Indeed, the proliferation of threats has made cyber risk management a major priority at the highest levels of financial services organizations, forcing enterprises to invest more, address legacy weaknesses and prepare for the minefields ahead.
As senior executives weigh their next moves in cyber security, Accenture advocates a proactive approach: anticipate which new threats may challenge the enterprise and which security elements can help to improve performance, and then weave the right security features into the enterprise’s infrastructure and digital assets. The experiences of leading cyber security professionals have informed a set of six driving principles for financial institutions engaged in this pursuit.
1. Identify and secure the IT assets themselves, not just the perimeter
While organizations typically focus on securing the IT perimeter, that’s no longer sufficient. It’s more effective to secure the data or asset itself, wherever it lives and travels. Firms should embed cyber resilience and defensive capabilities throughout the organization, not just individual components. This is not always easy, as it requires navigating a maze of regulatory, compliance, privacy and business demands. Therefore, most initiatives will benefit from an end-to-end approach, from problem analysis to monitoring the controls that follow solution implementation.
2. Build a culture of security
Financial services firms do not always clearly define cyber security governance structures, including specific oversight responsibilities. They also may find that management responsibility can be fragmented, with departments all having some involvement. As a result, it’s not clear where the buck stops on information security. The first step is enacting an IT governance program that integrates the people, processes and technology needed to manage data efficiently. Data protection frameworks also should be unified in nature and avoid country, business process or type-of-data silos. Such frameworks can help minimize complexity, compliance costs and potential breaches while enabling responsible data sharing and global data flows.
3. Pay closer attention to applications
Financial firms must be able to measure an application’s resistance to attack and its ability to process and handle sensitive information, and they must conduct stringent testing to confirm that mission-critical applications can be run with reduced risk. This means designing consistently defined security services into applications as part of the system development life cycle, an evolutionary step for most financial organizations. It also means testing and elevating existing applications to the same standard, whether they were built in-house or purchased and deployed at a vendor location.
4. Check and double-check user identity
Identity management has become a top security priority due to the convergence of several trends: sharp increases in identity theft; risks associated with having an extended enterprise of customers, suppliers and contractors with access to enterprise applications; and the increasing ubiquity of mobile devices. In addition, the traditional approach to authentication—based on secret phrases or numbers—has been undermined now that much of that information is commonly available or at least discoverable.
At the same time, many CIOs must balance risk management with cost reduction and administrative efficiency. In this context, things such as single sign-on, immediate access revocation, self-service functionality and real-time analysis to support audits can support business needs and help manage risk.
Furthermore, open-source protocols, such as OpenID, which allow users to log on to different services with the same digital identity, are starting to catch on as a means of creating strong authentication combined with ease of use.
5. Get smart about mobile device security
Mobile banking is expected to reach 400 million people in the next three years, whether through SMS-based payments, direct mobile billing, mobile Web payments or stored value cards. While many of mobile’s underlying technologies are similar to those supporting standard Internet banking, financial services institutions must consider several issues. For instance, each mobile device and platform has its own way of addressing security and, by extension, security flaws.
In addition, mobile devices are easily lost or stolen, and most come with removable media such as a SIM card that may store a huge amount of personal data, including account numbers and passwords. A third issue is that many consumers have not yet grown accustomed to mobile financial services and may not completely trust in their security. The end result: financial institutions should be preparing now for a sustained effort in consumer education and communications about mobile device security, including optimum password protocol and how to erase data remotely if a device is stolen.
6. Develop acute situational awareness
Financial institutions must understand their entire risk landscape, including employees and their business partner network, as well as maintain awareness around a risk’s potential impact on performance, keep a clear view of which risks may emerge and have measures in place to mitigate them.
In this ripe environment, high-performance financial services companies can take a more proactive and holistic approach to cyber security, securing IT assets as much as the perimeter, adopting a culture of security and focusing their attention on applications, authentication, mobile security and internal and external attacks. Such an approach can help institutions adapt to rapid technological change while forging a risk management program that supports business growth and high performance.