More Than Meets the Eye
Physical and electronic security need the same attention
- By Ralph C. Jensen
- May 22, 2008
For you and I, banks are a
symbol of security. This faith
in security has survived for
our parents and grandparents,
and even banks themselves exude a confidence
of security to the general public.
But think about it. Are banks really
that secure? The evolution of online
banking was a dramatic departure from
traditional banking, in which customers
would spend time in front of a teller and
maybe share a conversation with the bank
president. Now, a customer doesn’t even
have to step foot in a financial institution
for a transaction. Unfortunately, that also
applies to would-be thieves and electronic-
savvy crooks.
Layers of Protection
“Traditionally, banks define physical
security with a defensive, in-depth
approach,” said Peter Boriskin, vice president
of access control at Tyco. “The role
of security in the banking atmosphere
varies from the perspective of the customer
and individual branches’ needs.
"Outside of the bank branch, security
for the institution depends upon how
much cash is stored, the use of man traps
and implementation of security officers.
A central bank has to take into account
cash on hand, any precious metals and
security in the sally port.”
Above all else, security is focused on
the day-to-day activities of employees.
“Banking security has many layers of
protection,” Boriskin said. “It includes
access control, IT security, intrusion
detection, armed response and many
other solutions that play a critical role.
“One key factor for security is the
ability to dial the level of protection up or
down, as it is needed.”
High-level security would include
card access for employees, changing the
pattern of CCTV surveillance or even
late-night escorts for employees to their
cars. If a financial institution wanted to
dial up security, in a granular fashion,
security officials would change the daily
routine to include any number of other
effective applications.
“It’s important for a financial institution
to meet security and operations
requirements and guidelines,” Boriskin
said. “In order to meet those specifications,
there might be a need to go beyond
established security requirements by integrating
new technology. That may include
pairing up with video analytics.”
Contents of the bank are exactly what
thieves want. According to FBI bank
crime statistics—April 1, 2007, through
June 30, 2007—there were 1,400 robberies,
of which 1,235 took place at commercial
banks. The amount of money
taken exceeded $13 million. Nearly $2
million was recovered. Most of the robberies
occur at a branch location, in a
commercial district or at a shopping center.
And most robberies take place at the
teller counter.
Banks must develop an aggressive prevention
strategy to combat robberies.
Some solutions are specifically developed
for prevention, others for apprehension.
But some accomplish both objectives.
Where to Start
Training. Training has long been at the
core of robbery prevention. Employees
who are properly trained in protecting
their safety and the safety of others
ensure that security devices at the bank
work properly and are deployed during
a robbery. Proper cash control can
limit losses.
Surveillance cameras. Cameras
primarily are used for apprehension,
but when properly deployed, they also
can prevent a bank robbery. Almost all
bank robbers are photographed, and
proper deployment should include color
digital CCTV.
Reward programs. Rewards for
information leading to the arrest and conviction
of a bank robber are an apprehension
tool for law enforcement. When
advertised properly, people on the street
may help. The fact is, most people are
more likely to know a bank robber than
win the lottery.
Online banking has caught on quickly,
and the evolution of the process is receiving
so much security attention that you
have to wonder if physical security is
being ignored. Banks secure money, as
well as customer data and the employees
working there, but where are financial
institutions in the case of online security?
Both physical and logical security need
the same technology investment and
approach to be successful.
The truth is, today’s financial institutions
must incorporate substantial protection
across a wide divide of diverse IT
systems and business processes. This
means extending IT budgets and staff to
make way for new security buys, as well
as management needs for the enterprise
infrastructure.
Legislation linked to data security is
still evolving, albeit at a rapid pace, and
banks find themselves under the gun to
modify business processes and IT infrastructure
to meet compliance initiatives.
What’s lacking is sufficient securityspecific
technical knowledge and experience
to design and deploy robust security
solutions.
News used to be focused on the
occasional hacker, but today, data theft
and attempts at data breaches take place
every day. Between January 2005 and
June 2007, more than 155 million individual
records in the United States were
reported compromised. This includes
phishing by a bank employee who
illegally sold the account information
of nearly 670,000 customers. The average
individual company loss in 2006
was $167,713, but some companies
were unable or unwilling to report
actual figures.
Government Mandates
Legislation has been introduced at the
state and federal levels to respond to
threats to data privacy and integrity.
Legislation mainly has focused on ways
that private data is held, accessed, transferred
and protected. The requirements
have put pressure on IT departments to implement effective security solutions
quickly. Failure to comply could mean
sizable fines, heightened scrutiny and
downgraded credit scores.
Like everything else in the security
industry, data security laws are constantly
evolving, so it remains key that organizations
stay flexible and focus on comprehensive
solutions to ensure adaptability
and long-term compliance.
Data security laws involving diverse
data protection issues are wide-ranging
and address the integrity of data storage
media containing personal employee and
customer information, from Social
Security numbers to transactions involving
the transmission of private financial
information across WANs.
Gramm-Leach Bliley Act. The
impact on data security requires administrative,
physical and technical safeguards
to protect consumers’ personal information
held by financial institutions. Among
other requirements, it specifies that
financial institutions must ensure the
security and confidentiality of customer
records and information.
California Information Practice
Act. This state legislation requires that
organizations disclose any breach of
security to any California resident whose
unencrypted personal information was, or
is reasonably believed to have been,
acquired by an unauthorized person.
Sarbanes-Oxley Act. This was enacted
as a federal response to accounting
scandals at companies such as Enron,
Tyco International and WorldCom,
reforming the way public companies
report financial information.
Payment Card Industry Data
Security Standard. This was developed
jointly by major credit card companies to
prevent credit card fraud and data breaches.
It specifies 12 requirements, including
building and maintaining a secure
network, protecting cardholder data and
implementing strong access control
measures. Several states are enacting
similar laws to protect cardholder data.
“This legislation puts more attention
on enforcement and internal controls,”
said Ryan Sherstobitoff, chief corporate
evangelist for Panda Security. “Some
financial institutions are still seeing
record losses because banking trojans
have increased tenfold from last year.”
Oddly enough, hackers have been
stopped, or at least slowed, at the infrastructure,
but it is online commerce that is
targeted. When a hacker is able to obtain
someone’s credentials, personal information
can be screen scraped. Screen scraping
attacks high-value targets. Imagine
someone in accounts payable with a computer
file open is targeted—the bad guy is
able to capture information that is open on
that computer, whether next door or in the
next country.
Vicious malware captures what is on
the desktop, and the bad guys now have
high-value information. If they capture
500,000 Social Security numbers, the bad
guys make a small fortune because a
Social Security number goes for as much
as $100. Encryption should be used for the
transmission of cardholder data and sensitive
information across public networks.
“The problem is, the criminal underground
has evolved to establish it own
ecosystem,” Sherstobitoff said. “Exposed
customer records are exactly what the bad
guy looks for. Recently, a major stock
trading company reported a record loss
because of malicious code—up to $30
million because of malware.”
Encryption Compliance
The good news is that cost-effective data
security is available now. Its goal is to
protect information assets, minimize
business risks and achieve compliance
goals. Properly layered, the technology
satisfies many relevant requirements at
the same time. Compliance means data
assets are secure and accessed only by
authorized people or entities.
Technologies available are meant to
ensure data security compliance, and also
include strong authentication solutions,
comprehensive disk and file encryption,
high-speed encryption for WAN networks
and hardware security modules.
These same technologies also provide a
flexible, highly reliable solution for
maintaining the integrity of data and
applications. Audit trails and simplified
reporting coincide to ensure that banks
can demonstrate the effectiveness of their
data solution to regulatory agencies and
internal auditors.
Bank security is an entirely new animal.
Officials can lock the front door and
have the greatest physical security solutions
in place, but the institution is still
vulnerable to the outside world via the
Internet. These aren’t the same banks that
Bonnie and Clyde became so familiar
with, and they aren’t the same institutions
that grandpa used to bank with.
Today’s players are technology-savvy
and can sit at home feeding off the frenzy
they create by hacking their way into
bank records or buying stolen data information
sheets. Today’s crooks understand
cryptographic algorithms and
waste no time screen swiping information
as a customer transfers $5 from savings
into checking. The solution is
relatively simple—layer security from
the outside in, stopping a wouldbe
thief somewhere
along the way.