More Than Meets the Eye

Physical and electronic security need the same attention

• By Ralph C. Jensen
• May 22, 2008

For you and I, banks are a symbol of security. This faith in security has survived for our parents and grandparents, and even banks themselves exude a confidence of security to the general public.

But think about it. Are banks really that secure? The evolution of online banking was a dramatic departure from traditional banking, in which customers would spend time in front of a teller and maybe share a conversation with the bank president. Now, a customer doesn’t even have to step foot in a financial institution for a transaction. Unfortunately, that also applies to would-be thieves and electronic- savvy crooks.

Layers of Protection
“Traditionally, banks define physical security with a defensive, in-depth approach,” said Peter Boriskin, vice president of access control at Tyco. “The role of security in the banking atmosphere varies from the perspective of the customer and individual branches’ needs.

"Outside of the bank branch, security for the institution depends upon how much cash is stored, the use of man traps and implementation of security officers. A central bank has to take into account cash on hand, any precious metals and security in the sally port.”

Above all else, security is focused on the day-to-day activities of employees.

“Banking security has many layers of protection,” Boriskin said. “It includes access control, IT security, intrusion detection, armed response and many other solutions that play a critical role.

“One key factor for security is the ability to dial the level of protection up or down, as it is needed.”

High-level security would include card access for employees, changing the pattern of CCTV surveillance or even late-night escorts for employees to their cars. If a financial institution wanted to dial up security, in a granular fashion, security officials would change the daily routine to include any number of other effective applications.

“It’s important for a financial institution to meet security and operations requirements and guidelines,” Boriskin said. “In order to meet those specifications, there might be a need to go beyond established security requirements by integrating new technology. That may include pairing up with video analytics.”

Contents of the bank are exactly what thieves want. According to FBI bank crime statistics—April 1, 2007, through June 30, 2007—there were 1,400 robberies, of which 1,235 took place at commercial banks. The amount of money taken exceeded $13 million. Nearly $2 million was recovered. Most of the robberies occur at a branch location, in a commercial district or at a shopping center. And most robberies take place at the teller counter.

Banks must develop an aggressive prevention strategy to combat robberies. Some solutions are specifically developed for prevention, others for apprehension. But some accomplish both objectives.

Where to Start
Training. Training has long been at the core of robbery prevention. Employees who are properly trained in protecting their safety and the safety of others ensure that security devices at the bank work properly and are deployed during a robbery. Proper cash control can limit losses.

Surveillance cameras. Cameras primarily are used for apprehension, but when properly deployed, they also can prevent a bank robbery. Almost all bank robbers are photographed, and proper deployment should include color digital CCTV.

Reward programs. Rewards for information leading to the arrest and conviction of a bank robber are an apprehension tool for law enforcement. When advertised properly, people on the street may help. The fact is, most people are more likely to know a bank robber than win the lottery.

Online banking has caught on quickly, and the evolution of the process is receiving so much security attention that you have to wonder if physical security is being ignored. Banks secure money, as well as customer data and the employees working there, but where are financial institutions in the case of online security? Both physical and logical security need the same technology investment and approach to be successful.

The truth is, today’s financial institutions must incorporate substantial protection across a wide divide of diverse IT systems and business processes. This means extending IT budgets and staff to make way for new security buys, as well as management needs for the enterprise infrastructure.

Legislation linked to data security is still evolving, albeit at a rapid pace, and banks find themselves under the gun to modify business processes and IT infrastructure to meet compliance initiatives. What’s lacking is sufficient securityspecific technical knowledge and experience to design and deploy robust security solutions.

News used to be focused on the occasional hacker, but today, data theft and attempts at data breaches take place every day. Between January 2005 and June 2007, more than 155 million individual records in the United States were reported compromised. This includes phishing by a bank employee who illegally sold the account information of nearly 670,000 customers. The average individual company loss in 2006 was $167,713, but some companies were unable or unwilling to report actual figures.

Government Mandates
Legislation has been introduced at the state and federal levels to respond to threats to data privacy and integrity. Legislation mainly has focused on ways that private data is held, accessed, transferred and protected. The requirements have put pressure on IT departments to implement effective security solutions quickly. Failure to comply could mean sizable fines, heightened scrutiny and downgraded credit scores.

Like everything else in the security industry, data security laws are constantly evolving, so it remains key that organizations stay flexible and focus on comprehensive solutions to ensure adaptability and long-term compliance.

Data security laws involving diverse data protection issues are wide-ranging and address the integrity of data storage media containing personal employee and customer information, from Social Security numbers to transactions involving the transmission of private financial information across WANs.

Gramm-Leach Bliley Act. The impact on data security requires administrative, physical and technical safeguards to protect consumers’ personal information held by financial institutions. Among other requirements, it specifies that financial institutions must ensure the security and confidentiality of customer records and information.

California Information Practice Act. This state legislation requires that organizations disclose any breach of security to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Sarbanes-Oxley Act. This was enacted as a federal response to accounting scandals at companies such as Enron, Tyco International and WorldCom, reforming the way public companies report financial information.

Payment Card Industry Data Security Standard. This was developed jointly by major credit card companies to prevent credit card fraud and data breaches. It specifies 12 requirements, including building and maintaining a secure network, protecting cardholder data and implementing strong access control measures. Several states are enacting similar laws to protect cardholder data.

“This legislation puts more attention on enforcement and internal controls,” said Ryan Sherstobitoff, chief corporate evangelist for Panda Security. “Some financial institutions are still seeing record losses because banking trojans have increased tenfold from last year.”

Oddly enough, hackers have been stopped, or at least slowed, at the infrastructure, but it is online commerce that is targeted. When a hacker is able to obtain someone’s credentials, personal information can be screen scraped. Screen scraping attacks high-value targets. Imagine someone in accounts payable with a computer file open is targeted—the bad guy is able to capture information that is open on that computer, whether next door or in the next country.

Vicious malware captures what is on the desktop, and the bad guys now have high-value information. If they capture 500,000 Social Security numbers, the bad guys make a small fortune because a Social Security number goes for as much as $100. Encryption should be used for the transmission of cardholder data and sensitive information across public networks.

“The problem is, the criminal underground has evolved to establish it own ecosystem,” Sherstobitoff said. “Exposed customer records are exactly what the bad guy looks for. Recently, a major stock trading company reported a record loss because of malicious code—up to $30 million because of malware.”

Encryption Compliance
The good news is that cost-effective data security is available now. Its goal is to protect information assets, minimize business risks and achieve compliance goals. Properly layered, the technology satisfies many relevant requirements at the same time. Compliance means data assets are secure and accessed only by authorized people or entities.

Technologies available are meant to ensure data security compliance, and also include strong authentication solutions, comprehensive disk and file encryption, high-speed encryption for WAN networks and hardware security modules. These same technologies also provide a flexible, highly reliable solution for maintaining the integrity of data and applications. Audit trails and simplified reporting coincide to ensure that banks can demonstrate the effectiveness of their data solution to regulatory agencies and internal auditors.

Bank security is an entirely new animal. Officials can lock the front door and have the greatest physical security solutions in place, but the institution is still vulnerable to the outside world via the Internet. These aren’t the same banks that Bonnie and Clyde became so familiar with, and they aren’t the same institutions that grandpa used to bank with.

Today’s players are technology-savvy and can sit at home feeding off the frenzy they create by hacking their way into bank records or buying stolen data information sheets. Today’s crooks understand cryptographic algorithms and waste no time screen swiping information as a customer transfers $5 from savings into checking. The solution is relatively simple—layer security from the outside in, stopping a wouldbe thief somewhere along the way.