More Than Meets the Eye

Physical and electronic security need the same attention

For you and I, banks are a symbol of security. This faith in security has survived for our parents and grandparents, and even banks themselves exude a confidence of security to the general public.

But think about it. Are banks really that secure? The evolution of online banking was a dramatic departure from traditional banking, in which customers would spend time in front of a teller and maybe share a conversation with the bank president. Now, a customer doesn’t even have to step foot in a financial institution for a transaction. Unfortunately, that also applies to would-be thieves and electronic- savvy crooks.

Layers of Protection
“Traditionally, banks define physical security with a defensive, in-depth approach,” said Peter Boriskin, vice president of access control at Tyco. “The role of security in the banking atmosphere varies from the perspective of the customer and individual branches’ needs.

"Outside of the bank branch, security for the institution depends upon how much cash is stored, the use of man traps and implementation of security officers. A central bank has to take into account cash on hand, any precious metals and security in the sally port.”

Above all else, security is focused on the day-to-day activities of employees.

“Banking security has many layers of protection,” Boriskin said. “It includes access control, IT security, intrusion detection, armed response and many other solutions that play a critical role.

“One key factor for security is the ability to dial the level of protection up or down, as it is needed.”

High-level security would include card access for employees, changing the pattern of CCTV surveillance or even late-night escorts for employees to their cars. If a financial institution wanted to dial up security, in a granular fashion, security officials would change the daily routine to include any number of other effective applications.

“It’s important for a financial institution to meet security and operations requirements and guidelines,” Boriskin said. “In order to meet those specifications, there might be a need to go beyond established security requirements by integrating new technology. That may include pairing up with video analytics.”

Contents of the bank are exactly what thieves want. According to FBI bank crime statistics—April 1, 2007, through June 30, 2007—there were 1,400 robberies, of which 1,235 took place at commercial banks. The amount of money taken exceeded $13 million. Nearly $2 million was recovered. Most of the robberies occur at a branch location, in a commercial district or at a shopping center. And most robberies take place at the teller counter.

Banks must develop an aggressive prevention strategy to combat robberies. Some solutions are specifically developed for prevention, others for apprehension. But some accomplish both objectives.

Where to Start
Training. Training has long been at the core of robbery prevention. Employees who are properly trained in protecting their safety and the safety of others ensure that security devices at the bank work properly and are deployed during a robbery. Proper cash control can limit losses.

Surveillance cameras. Cameras primarily are used for apprehension, but when properly deployed, they also can prevent a bank robbery. Almost all bank robbers are photographed, and proper deployment should include color digital CCTV.

Reward programs. Rewards for information leading to the arrest and conviction of a bank robber are an apprehension tool for law enforcement. When advertised properly, people on the street may help. The fact is, most people are more likely to know a bank robber than win the lottery.

Online banking has caught on quickly, and the evolution of the process is receiving so much security attention that you have to wonder if physical security is being ignored. Banks secure money, as well as customer data and the employees working there, but where are financial institutions in the case of online security? Both physical and logical security need the same technology investment and approach to be successful.

The truth is, today’s financial institutions must incorporate substantial protection across a wide divide of diverse IT systems and business processes. This means extending IT budgets and staff to make way for new security buys, as well as management needs for the enterprise infrastructure.

Legislation linked to data security is still evolving, albeit at a rapid pace, and banks find themselves under the gun to modify business processes and IT infrastructure to meet compliance initiatives. What’s lacking is sufficient securityspecific technical knowledge and experience to design and deploy robust security solutions.

News used to be focused on the occasional hacker, but today, data theft and attempts at data breaches take place every day. Between January 2005 and June 2007, more than 155 million individual records in the United States were reported compromised. This includes phishing by a bank employee who illegally sold the account information of nearly 670,000 customers. The average individual company loss in 2006 was $167,713, but some companies were unable or unwilling to report actual figures.

Government Mandates
Legislation has been introduced at the state and federal levels to respond to threats to data privacy and integrity. Legislation mainly has focused on ways that private data is held, accessed, transferred and protected. The requirements have put pressure on IT departments to implement effective security solutions quickly. Failure to comply could mean sizable fines, heightened scrutiny and downgraded credit scores.

Like everything else in the security industry, data security laws are constantly evolving, so it remains key that organizations stay flexible and focus on comprehensive solutions to ensure adaptability and long-term compliance.

Data security laws involving diverse data protection issues are wide-ranging and address the integrity of data storage media containing personal employee and customer information, from Social Security numbers to transactions involving the transmission of private financial information across WANs.

Gramm-Leach Bliley Act. The impact on data security requires administrative, physical and technical safeguards to protect consumers’ personal information held by financial institutions. Among other requirements, it specifies that financial institutions must ensure the security and confidentiality of customer records and information.

California Information Practice Act. This state legislation requires that organizations disclose any breach of security to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Sarbanes-Oxley Act. This was enacted as a federal response to accounting scandals at companies such as Enron, Tyco International and WorldCom, reforming the way public companies report financial information.

Payment Card Industry Data Security Standard. This was developed jointly by major credit card companies to prevent credit card fraud and data breaches. It specifies 12 requirements, including building and maintaining a secure network, protecting cardholder data and implementing strong access control measures. Several states are enacting similar laws to protect cardholder data.

“This legislation puts more attention on enforcement and internal controls,” said Ryan Sherstobitoff, chief corporate evangelist for Panda Security. “Some financial institutions are still seeing record losses because banking trojans have increased tenfold from last year.”

Oddly enough, hackers have been stopped, or at least slowed, at the infrastructure, but it is online commerce that is targeted. When a hacker is able to obtain someone’s credentials, personal information can be screen scraped. Screen scraping attacks high-value targets. Imagine someone in accounts payable with a computer file open is targeted—the bad guy is able to capture information that is open on that computer, whether next door or in the next country.

Vicious malware captures what is on the desktop, and the bad guys now have high-value information. If they capture 500,000 Social Security numbers, the bad guys make a small fortune because a Social Security number goes for as much as $100. Encryption should be used for the transmission of cardholder data and sensitive information across public networks.

“The problem is, the criminal underground has evolved to establish it own ecosystem,” Sherstobitoff said. “Exposed customer records are exactly what the bad guy looks for. Recently, a major stock trading company reported a record loss because of malicious code—up to $30 million because of malware.”

Encryption Compliance
The good news is that cost-effective data security is available now. Its goal is to protect information assets, minimize business risks and achieve compliance goals. Properly layered, the technology satisfies many relevant requirements at the same time. Compliance means data assets are secure and accessed only by authorized people or entities.

Technologies available are meant to ensure data security compliance, and also include strong authentication solutions, comprehensive disk and file encryption, high-speed encryption for WAN networks and hardware security modules. These same technologies also provide a flexible, highly reliable solution for maintaining the integrity of data and applications. Audit trails and simplified reporting coincide to ensure that banks can demonstrate the effectiveness of their data solution to regulatory agencies and internal auditors.

Bank security is an entirely new animal. Officials can lock the front door and have the greatest physical security solutions in place, but the institution is still vulnerable to the outside world via the Internet. These aren’t the same banks that Bonnie and Clyde became so familiar with, and they aren’t the same institutions that grandpa used to bank with.

Today’s players are technology-savvy and can sit at home feeding off the frenzy they create by hacking their way into bank records or buying stolen data information sheets. Today’s crooks understand cryptographic algorithms and waste no time screen swiping information as a customer transfers $5 from savings into checking. The solution is relatively simple—layer security from the outside in, stopping a wouldbe thief somewhere along the way.

Featured

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events

  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

  • DHS to End ‘Shoes-Off’ Travel Policy

    Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now

Most   Popular

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.