IT Security Supplement: Safe from harm?
Written by Liz Morrell
Every day millions of financial services customers voluntarily provide personal identity details - passwords, first schools, maiden names and so on - to banks, insurers and others. Liz Morrell investigates the wisdom of this in the wake of numerous data breaches and what financial institutions are doing to protect our identities
Starting in April, UK organisations could face fines of up to £500,000 for serious breaches of the Data Protection Act (DPA) thanks to new powers given to the Information Commissioner's Office (ICO), which will allow fines to be imposed according to the seriousness of the breach, the firm's resources and the industry sector.
But in the financial services market this potential £0.5m fine already looks like small change, with the Financial Services Authority (FSA) hitting firms for millions of pounds in recent years. HSBC, for example, is just the latest in a long line of cases after it was fined £3.1 million last September by the FSA for security failings that led to the loss of customers' sensitive personal details, exposing them to the risk of identity theft and fraud. The watchdog said that three business units - HSBC Life, HSBC Actuaries and Consultants, and HSBC Insurance Brokers - had lost customer data in the post on two separate occasions, necessitating the sanction. In two of the instances unencrypted disks were sent through the post never to be seen again and a subsequent investigation found large amounts of unencrypted details had previously been sent via the post or courier to third parties. Additionally, confidential customer information was also left vulnerable in unlocked cabinets or open shelves overnight. Embarrassingly, as we were going to press, HSBC was forced to admit that the damage done by an IT employee at its Swiss Private Bank arm, who stole the account details of customers and passed them on the French tax authorities, was more widespread than first thought. More than 24,000 customer details were leaked by the insider, slightly more than the original "ten" quoted at the time.
It's not just HSBC though. All firms are vulnerable with Aviva, Nationwide Barclays and many others being fined over recent years, since the lost disk at HMRC brought the issue of data breaches to the top of the agenda. Just recently MBNA hit the headlines when it confirmed that a laptop that contained the personal details of its customers was stolen from one of its third party contractors. In the US this month, banking giant Citi also had to apologise to 600,000 customers after it sent them year-end tax statements with their social security numbers printed outside on the envelopes after a "processing error". It could be argued that data breaches shouldn't happen, but very basic mistakes like this will continue to happen unless strict procedures and appropriate protection technologies, such as encryption, are put in place.
The scale of the new ICO fines may not be as large as the FSA ones, but the potential to be hit by a double whammy of fines and the bad publicity that goes with them, means the financial world has to ensure it is doing its utmost to protect the sensitivities of customers' financial data. Reputational damage can be the worst fallout from any data breach.
Scale of the problem
In February, the British Standards Institution (BSI) claimed that in 2009 nearly one in five businesses were breaching the DPA and wrongly exposing personal data. Such breaches are costly. In the UK Cost of Data Breach report, published by PGP and Ponemon Institute in January, the average cost for each lost customer record was estimated to be an alarming £86 per record for the financial services sector, while 45 per cent of breaches were a result of negligence.
Verizon Business' annual Data Breach Investigation report also showed that last year nine out of ten breaches were avoidable if security basics had been followed - encryption, procedural 'firewalls' to sharing unnecessary information, adequate staff training, etc. The firm looked at 90 breaches it was aware of from its operations across various sectors, covering 285 million compromised records.
CIFAS, the non-profit UK fraud prevention service's latest 2009 report also shows that ID fraud is on the rise. According to their research ID fraud amongst its 260 plus membership, made up of banks retailers and others, was up nearly a third (31.79 per cent) last year, with the report highlighting criminal gangs, using collusive staff, as a particular threat.
"The largest culprit still seems to be accidental insider breaches, however, such as lost laptops or backup devices," maintains Jamie Cowper, director of European marketing, PGP Corporation. In such cases, the banks generally know the risk of malicious misuse of the lost data is low, but the reputational risk of such losses is huge and banks cannot afford to take such breaches lightly. Of the £86 cost per lost customer record identified in the PGP report over half of this relates to lost business, with the remainder comprising notification costs, PR and legal costs and detection/investigation expenses.
"If a bank loses a laptop without knowing what's on there, then you have to assume the worst and take precautionary measures," says Floris Van den Dool, head of security, EMEA, at Accenture.
And banks run a bigger risk too. "Customer information is very important not just because losing it may get you fined but because your customers will go to another bank," explains John Colley, EMEA managing director of the ISC2 professional training and security trade body.
James O'Sullivan, policy advisor at the Building Societies Association (BSA) says his members have been using the FSA's 2008 Data Security and Financial Services report to benchmark their own internal processes. "Where there are gaps they are using it to address them," he says.
Technology plays a part and Cowper obviously advocates encryption of vulnerable data. Coupled with PIN protected storage devices and data leakage prevention tools, it can ensure lost hardware only costs financial institutions the expense of replacing kit, rather than the reputational and legal costs that surround data losses.
Procedures and philosophies need to change too though. Quite simply, data security needs to be taken seriously. "You have got to have a champion at board level, so there should be an executive who has direct responsibility for information security," says ISC2's Colley.
Making people aware
Training is also needed. "People, and indeed consumers, need to be instructed in safe ways of working - for instance, homeworking should be as rigid as working in the office, and it can be if procedures are followed," says Sandra Quinn, director of communications at Financial Fraud Action UK, and formerly of Apacs. "All banks will have very strict processes on how to access equipment but it's when these policies are broken that the real test will come and staff need to be confident enough to raise an alarm if necessary and know who to contact. Employees need to know the importance of these issues."
The BSI DPA 2009 survey showed that nearly two thirds of businesses did not train their staff about the issue of data protection; something that was highlighted in the FSA's investigation into the HSBC case. William Beer, director of the oneSecurity team at the PricewaterhouseCoopers (PwC) consultancy, says the complications of the subject can make it a hard one to tackle: "A lot of organisations haven't moved forward with a complete data loss solution. One problem is that the topic covers so many aspects - from people, to technology and processes - consequently, projects often struggle to get off the ground."
In PwC's Global State of Information Security Survey published last year it found only 48 per cent of financial services companies had accurate inventories of locations where data was stored. Beer says using data discovery engines within some of the existing data loss prevention tools can help to identify leakages and build a business case for the board.
The ISC2's own survey last year showed around 20 per cent of organisations weren't confident that they were capable of conforming to policy. "It's not really the glitzy technology that people want to concentrate on; it's about writing a basic policy that is clear and manageable," says Colley. Such policies also need to be tested in reality. "If it's impractical people will tend to ignore it. The policy has got to be right and appropriate for the organisation and has got to help people do their job, rather than hinder them."
Data has become so easy to manipulate users have lost sight of its vulnerability and where copies might be stored. "If you want to secure something you need to know how important it is," says Accenture's Van den Dool. Data therefore needs to be classified at source by its creator, recreating the confidential stamps of the past. He suggests financial firms do a risk assessment of where their data is vulnerable. "The technology is maturing quite rapidly and there are a number of vendors selling data loss prevention tools - part of which scan information - such as word or excel documents, looking for sensitive information like account numbers and so forth." If such data is classified then certain risky actions, such as downloading a file containing credit card details to a USB stick without encryption, can be prevented. "Technology is not the full solution," warns Van den Dool though, "because in the end there is always the user. However, software can help to raise awareness - for instance, by creating alerts when risky actions are taken."
There is technology now that will do just about anything but the problem is getting people to use it and stopping bright people doing dumb things. The banks are working hard on this. After its recent UK breaches and fines HSBC now encrypts all data and has improved staff training, while Barclays has been applauded for its efforts to raise awareness amongst staff with its Th!nk Privacy campaign.
"One of the first things I would focus on is people," confirms PwC's Beer. "That takes the longest time to address but also provides the best value for money. If staff see important information on a printer or a PC left unlocked they will report it, if properly trained." He also believes moving responsibility from the IT department helps. "Pushing ownership of data monitoring to the business owners provides more accountability."
Securing against data breaches is not a quick fix but a continual process of awareness programmes, auditing and reviews, warns ISC2's Colley. "Financial services have a reasonable reputation for looking after data but the fact that there are still breaches indicates that you have to keep your eye on the ball at all times and concentrate on the softer people side. If you take your eye of the ball something will go wrong," he says. Also, any breaches by banks attract extra media attention and reputational damage as banks aren't the most popular institutions at the moment.
Whatever you do, data breaches will still happen. "Data is never going to be 100 per cent secure no matter how big a lock you put on it, because someone will always be targeting it," says Tim Thompson, UK MD of internet fraud prevention firm, 41st Parameter. The trick is to make it as difficult as possible and to stay ahead of criminals who are increasingly using phishing attacks to steal identities, while securing your own back door by preventing lost disks and stupid mistakes. That way, hopefully, customers can be kept safe from harm.