More Than Meets the Eye -- Security Today

More Than Meets the Eye

Physical and electronic security need the same attention

By Ralph C. Jensen
May 22, 2008

For you and I, banks are a symbol of security. This faith in security has survived for our parents and grandparents, and even banks themselves exude a confidence of security to the general public.

But think about it. Are banks really that secure? The evolution of online banking was a dramatic departure from traditional banking, in which customers would spend time in front of a teller and maybe share a conversation with the bank president. Now, a customer doesn’t even have to step foot in a financial institution for a transaction. Unfortunately, that also applies to would-be thieves and electronic- savvy crooks.

Layers of Protection
“Traditionally, banks define physical security with a defensive, in-depth approach,” said Peter Boriskin, vice president of access control at Tyco. “The role of security in the banking atmosphere varies from the perspective of the customer and individual branches’ needs.

"Outside of the bank branch, security for the institution depends upon how much cash is stored, the use of man traps and implementation of security officers. A central bank has to take into account cash on hand, any precious metals and security in the sally port.”

Above all else, security is focused on the day-to-day activities of employees.

“Banking security has many layers of protection,” Boriskin said. “It includes access control, IT security, intrusion detection, armed response and many other solutions that play a critical role.

“One key factor for security is the ability to dial the level of protection up or down, as it is needed.”

High-level security would include card access for employees, changing the pattern of CCTV surveillance or even late-night escorts for employees to their cars. If a financial institution wanted to dial up security, in a granular fashion, security officials would change the daily routine to include any number of other effective applications.

“It’s important for a financial institution to meet security and operations requirements and guidelines,” Boriskin said. “In order to meet those specifications, there might be a need to go beyond established security requirements by integrating new technology. That may include pairing up with video analytics.”

Contents of the bank are exactly what thieves want. According to FBI bank crime statistics—April 1, 2007, through June 30, 2007—there were 1,400 robberies, of which 1,235 took place at commercial banks. The amount of money taken exceeded $13 million. Nearly $2 million was recovered. Most of the robberies occur at a branch location, in a commercial district or at a shopping center. And most robberies take place at the teller counter.

Banks must develop an aggressive prevention strategy to combat robberies. Some solutions are specifically developed for prevention, others for apprehension. But some accomplish both objectives.

Where to Start
Training. Training has long been at the core of robbery prevention. Employees who are properly trained in protecting their safety and the safety of others ensure that security devices at the bank work properly and are deployed during a robbery. Proper cash control can limit losses.

Surveillance cameras. Cameras primarily are used for apprehension, but when properly deployed, they also can prevent a bank robbery. Almost all bank robbers are photographed, and proper deployment should include color digital CCTV.

Reward programs. Rewards for information leading to the arrest and conviction of a bank robber are an apprehension tool for law enforcement. When advertised properly, people on the street may help. The fact is, most people are more likely to know a bank robber than win the lottery.

Online banking has caught on quickly, and the evolution of the process is receiving so much security attention that you have to wonder if physical security is being ignored. Banks secure money, as well as customer data and the employees working there, but where are financial institutions in the case of online security? Both physical and logical security need the same technology investment and approach to be successful.

The truth is, today’s financial institutions must incorporate substantial protection across a wide divide of diverse IT systems and business processes. This means extending IT budgets and staff to make way for new security buys, as well as management needs for the enterprise infrastructure.

Legislation linked to data security is still evolving, albeit at a rapid pace, and banks find themselves under the gun to modify business processes and IT infrastructure to meet compliance initiatives. What’s lacking is sufficient securityspecific technical knowledge and experience to design and deploy robust security solutions.

News used to be focused on the occasional hacker, but today, data theft and attempts at data breaches take place every day. Between January 2005 and June 2007, more than 155 million individual records in the United States were reported compromised. This includes phishing by a bank employee who illegally sold the account information of nearly 670,000 customers. The average individual company loss in 2006 was $167,713, but some companies were unable or unwilling to report actual figures.

Government Mandates
Legislation has been introduced at the state and federal levels to respond to threats to data privacy and integrity. Legislation mainly has focused on ways that private data is held, accessed, transferred and protected. The requirements have put pressure on IT departments to implement effective security solutions quickly. Failure to comply could mean sizable fines, heightened scrutiny and downgraded credit scores.

Like everything else in the security industry, data security laws are constantly evolving, so it remains key that organizations stay flexible and focus on comprehensive solutions to ensure adaptability and long-term compliance.

Data security laws involving diverse data protection issues are wide-ranging and address the integrity of data storage media containing personal employee and customer information, from Social Security numbers to transactions involving the transmission of private financial information across WANs.

Gramm-Leach Bliley Act. The impact on data security requires administrative, physical and technical safeguards to protect consumers’ personal information held by financial institutions. Among other requirements, it specifies that financial institutions must ensure the security and confidentiality of customer records and information.

California Information Practice Act. This state legislation requires that organizations disclose any breach of security to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Sarbanes-Oxley Act. This was enacted as a federal response to accounting scandals at companies such as Enron, Tyco International and WorldCom, reforming the way public companies report financial information.

Payment Card Industry Data Security Standard. This was developed jointly by major credit card companies to prevent credit card fraud and data breaches. It specifies 12 requirements, including building and maintaining a secure network, protecting cardholder data and implementing strong access control measures. Several states are enacting similar laws to protect cardholder data.

“This legislation puts more attention on enforcement and internal controls,” said Ryan Sherstobitoff, chief corporate evangelist for Panda Security. “Some financial institutions are still seeing record losses because banking trojans have increased tenfold from last year.”

Oddly enough, hackers have been stopped, or at least slowed, at the infrastructure, but it is online commerce that is targeted. When a hacker is able to obtain someone’s credentials, personal information can be screen scraped. Screen scraping attacks high-value targets. Imagine someone in accounts payable with a computer file open is targeted—the bad guy is able to capture information that is open on that computer, whether next door or in the next country.

Vicious malware captures what is on the desktop, and the bad guys now have high-value information. If they capture 500,000 Social Security numbers, the bad guys make a small fortune because a Social Security number goes for as much as $100. Encryption should be used for the transmission of cardholder data and sensitive information across public networks.

“The problem is, the criminal underground has evolved to establish it own ecosystem,” Sherstobitoff said. “Exposed customer records are exactly what the bad guy looks for. Recently, a major stock trading company reported a record loss because of malicious code—up to $30 million because of malware.”

Encryption Compliance
The good news is that cost-effective data security is available now. Its goal is to protect information assets, minimize business risks and achieve compliance goals. Properly layered, the technology satisfies many relevant requirements at the same time. Compliance means data assets are secure and accessed only by authorized people or entities.

Technologies available are meant to ensure data security compliance, and also include strong authentication solutions, comprehensive disk and file encryption, high-speed encryption for WAN networks and hardware security modules. These same technologies also provide a flexible, highly reliable solution for maintaining the integrity of data and applications. Audit trails and simplified reporting coincide to ensure that banks can demonstrate the effectiveness of their data solution to regulatory agencies and internal auditors.

Bank security is an entirely new animal. Officials can lock the front door and have the greatest physical security solutions in place, but the institution is still vulnerable to the outside world via the Internet. These aren’t the same banks that Bonnie and Clyde became so familiar with, and they aren’t the same institutions that grandpa used to bank with.

Today’s players are technology-savvy and can sit at home feeding off the frenzy they create by hacking their way into bank records or buying stolen data information sheets. Today’s crooks understand cryptographic algorithms and waste no time screen swiping information as a customer transfers $5 from savings into checking. The solution is relatively simple—layer security from the outside in, stopping a wouldbe thief somewhere along the way.

Featured

Security Industry Association Announces the 2025 Security Megatrends

The Security Industry Association (SIA) has identified and forecasted the 2025 Security Megatrends, which form the basis of SIA’s signature annual Security Megatrends report defining the top 10 factors influencing both short- and long-term change in the global security industry. Read Now
- Cybersecurity
- Artificial Intelligence
Generative AI, Cybersecurity Among Top Risks for Healthcare Provider Organizations in 2025

Overseeing the use of generative artificial intelligence, enhancing cybersecurity and ensuring compliance with a host of federal healthcare regulations headline the Top Risks health systems face in 2025, according to an annual study by Kodiak Solutions. Read Now
- Hospital
Wisconsin Shooting Likely a 'Combination of Factors'

Following the deaths of a teacher and student at Abundant Life Christian School in, Madison, Wisc., police chief Shon Barnes indicated that the motive appears to be a “combination of factors” for a 15-year-old female student’s attack on a study hall. Read Now
- Active Shooter
- Incident Response
Louisville Muhammad Ali International Airport Transforms Operations Using Data Insights

Genetec Inc., provider of enterprise physical security software, recently announced that Louisville Muhammad Ali International Airport (SDF), a civil and military airport in Kentucky, USA is using Genetec Security Center to drive operational improvements to enhance efficiency and security while improving customer experience. Read Now
- Airport Security

Webinars

Building a Unified Approach to School Safety
The Center for Safe and Resilient Schools and Workplaces

Precovery in Action: Proactive Strategies to Promote School Safety and Mass Violence Prevention
Hanwha Vision (formerly Hanwha Techwin), NAPCO Security Technologies, Inc.

Getting Control of your Access

Whitepapers

Salient Systems

A Model for Community Security
Genetec

State of Physical Security 2025
Winsted Corporation

Sit/Stand Consoles: Helping Increase Productivity

New Products

A8V MIND

Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3
AC Nio

Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3
FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3