 Back to basics
Many banks have spent a fortune in recent years rolling out two factor authentication systems, anti-phishing procedures and card readers that can create one-time passwords for customer log-in, all in an attempt to stop criminals stealing identities and defrauding customers. Vivienne Rosch argues that this money is in danger of being wasted due to lax internal controls that have lead to a spate of data breaches and what is needed is a return to basics
Everybody in the financial services sector can reel off the list of recent spectacular incidents of data loss events. Businesses in the financial services sector are uncomfortably well represented. The Financial Services Authority (FSA) recently levied an unprecedentedly high £1.26 million fine on Norwich Union’s life assurance unit for not adequately managing its financial crime risks and not having effective systems and controls in place to protect customers’ confidential information. Using data available from public records, fraudsters last year successfully impersonated Norwich Union policy holders to the firm’s own call centre staff, obtaining from them the confidential details they needed to cash in policies worth a total of £3.3 million.
The FSA also fined Nationwide £980,000 last year following the theft of a laptop from an employee’s home. Although the theft itself was reported immediately, the company wasn’t aware that the laptop contained confidential customer details and didn’t start an investigation until three weeks later. Skipton Financial Services also lost a laptop last year which contained unencrypted personal and financial data, including National Insurance numbers and fund investment details, relating to 14,000 of its customers – the laptop was stolen from a locker. Barclays was also embarrassed after a fraudster persuaded call centre staff to issue a Barclaycard in the name of its chairman, Marcus Agius, after finding his details online. The criminal then visited a branch in January 2008 and managed to walk out with £10,000.
In addition, last November, Her Majestry’s Revenue and Customs department (HMRC) lost two CDs carrying the personal details of 25 million UK recipients of child benefit. The disks were password-protected, but the data was unencrypted and it included the names of parents and children across the country, addresses, dates of birth, child benefit numbers, National Insurance numbers and also bank and building society account details. While there has been no evidence of consequent fraud, its chairman Paul Gray was forced to resign in the aftermath and the furore has further undermined public confidence in the wisdom of sharing personal data with public and private organisations alike. Matters were not help by the UK Information Commissioner, Richard Thomas, admitting in his last report that he was “horrified” by the number of banks and public bodies that breached UK data protection rules.
Incidents like these grab the headlines. Each shows a lapse in information security in the organisation involved, which is why some worry that the media storm will undermine consumers’ confidence in banking and buying online, just when they had accepted these as time-saving and cost-effective parts of their every-day lives. There is nothing fundamentally new about any of this though. The annual report by the Information Security Forum (ISF), a not-for-profit international association of over 300 leading organisations which funds research into information security and risk management problems, published in December 2007, points out that what has come to be known as ‘data leakage’ is something companies have had to deal with for many years already. The report provides guidelines on how to avoid leaks via a combination of measures from access control to laptop and USB encryption. It also stresses that in order to avoid ‘leakage’ incidents, the right messages must be driven home to an organisation’s staff, as well as to third parties and outsourcers.
Oxygen of publicity
Whether or not there has been a real increase in the instances of personal data loss by UK companies (of the kind outlined above) or if it just seems to be so due to the oxygen of publicity is a difficult question to answer, says Toby Stevens, vice-chair of the British Computer Society’s Security Forum. “There has been no obligation for UK authorities or private organisations to declare data losses but we’ve seen a lot of surveys and press about the issue in recent times. My personal feeling is that incidents are probably on the rise, not dramatically, but it’s more obvious because we have a new-found openness in the UK and a willingness to disclose when it happens – there’s certainly now a strong public perception that data losses are on the rise because of this.” However, it is generally agreed that internet fraud is also still rising and remains a threat, for example through phishing attacks or the like, so it’s important to remain vigilant on both fronts. The public’s perception of these two very distinct kinds of threat seems at times to get blurred and this may be contributing towards the public’s unease about data loss, when in fact it’s a separate subject.
In many US states, organisations are obliged to report ‘data breaches’, as it tends to be called across the pond. Indeed, the UK House of Lords Science and Technology Committee made a proposal in its report entitled Personal Internet Security, published last August, that a data security breach notification law, along the lines of the American one, be introduced in the UK as a matter of urgency. The government has not acted upon it as yet, but legislation may instead be introduced by the EU anyway as the issue is currently being discussed continent-wide. If such a law does eventually come into force, obliging firms to notify customers of any data leaks, then you can bet it will encourage firms to improve their performance in this area.
Criminal intent
We need to distinguish between negligent loss and real criminality, believes Stewart Room, a specialist data protection lawyer and partner at Field Fisher Waterhouse. “The laptop being lost, yes, it’s bad, organisations should feel sheepish about it,” he says, “but that’s not the stuff that’s the real worry. It’s the external electronic attack, whether we call it pharming, phishing or some kind of denial of service attack, right through to the internal malevolent employee and industrial espionage that we have to worry about, as there’s criminal intent there not just poor staff practices.” All well and good, unless of course a lost data disk negligently lost falls into a criminals hands.
John Colley, co-chair of the (ISC)2 security trade body, whose career has encompassed the top information security jobs at the Royal Bank of Scotland, Barclays and ICL, has his own opinion on the recent data loss incidents: “Each of these cases is slightly different, but they do have a common theme, and I would say it is the human side. We’ve got two problems as I see it; number one, there is cost cutting, which was definitely a factor in the case of HMRC’s lost data disks, and then there is the second problem of people completely failing to follow their own rules.”
Training
So how can organisations improve on the complacent human factor? “The human element has always got to be the key,” says Graham Cluley, senior technology consultant at the vendor, Sophos. Besides helping companies to implement comprehensive endpoint security solutions, Cluley stresses the importance of staff training programmes, both for new and for longstanding staff. “Don’t assume just because staff have worked at another bank, that they know how to use email and the web safely.” Employees who have been with a company for some time may need to be updated on the latest trends in social engineering attacks. Training really has to be continuous.
As Britannia Building Society’s spokesperson, Jayne Dono, says: “Avoiding identity theft is about everyone – employees, customers, and members – taking responsibility to use personal details sensibly and carefully. Britannia offers advice to its employees about how to protect identities and avoid ID theft. This is done through our internal intranet and also through training sessions.” [Interestingly, Britannia was the only organisation approached who asked for this writer’s identity to be confirmed by the magazine’s publishers, before agreeing to communicate, so they really do practice what they preach].
Beyond training, this is really about a culture change, says BCS’ Stevens. “There’s a culture in both public authorities and the private sector that personal information is a cheap, easy, free commodity, and that’s got to change. We’ve got to understand that this stuff is valuable. We need to spend money to make sure that the individuals handling personal data not only understand what the rules are, but actually respect and abide by them.”
Technology
Technology still, of course, has an essential role to play in ensuring that personal data at financial institutions is stored and processed securely – encryption, for example, could have prevented many of the major worries over recent data breaches and ‘lost’ identities. Internal access control can also prevent untrained, or unauthorised, employees from getting near important data in the first place. But technology can never be the whole answer. Is it the company network which needs protecting from incursions inwards and leaks out? Is it paramount to ensure that you know at all times that employees and customers are who they say they are? Which risks attach to which classes of data? Every company must make its own choices and deploy authentication or similar technologies as they deem fit in accordance with their particular requirements. Not all institutions will get it right but the more layers of protection there are – provided there is a wise procedure in place – the harder it should be for customer’s identities to be stolen.
“Certainly technology can help staff and the external end users make fewer mistakes,” says Sophos’ Cluley. “You can make sure that people are obeying the correct procedures by using solutions like Network Access Control which will check that all of your computers are complying with your security policy. In my experience, around half of corporate computers do not currently do this.”
Protecting your data
According to Jamie Cowper, PGP Corporation’s director of European marketing, you also need to classify your data in terms of risk. “There has been a shift away from a network-centric approach towards a more data-centric approach, identifying and tagging your data for risk, and then ensuring that you’ve got the appropriate levels of protection [for each],” he explains. “Adopting this approach requires a combination of access control and authentication techniques.”
Different approaches and product toolsets may be appropriate for specific problems. However, most security experts agree that what is most important is precisely what most organisations find hardest to carry out, which is to address the bigger picture. For a financial institution to really have a successful approach to data security, it first needs to understand how data works in its own organisation. It needs to be aware what classes of information it holds, where it holds them, and for what purposes each of them is held and processed.
Some say that this is precisely the kind of exercise that many large firms are not good at performing, not for want of trying, but due to the very nature of large organisations in our complex world. As Field Fisher Waterhouse’s Room says: “One of the basic flaws in organizations, from the perspective of data security, is that there is a kind of silo mentality whereby particular needs at a specific time drive the core strategy and decision-making, to the detriment of the longer-term picture.
“On top of this, if you ask most organisations to list all their repositories of data, most would get it very wrong,” adds Room. “A lot of people don’t know where their data is and can’t explain why they’ve got the data when they discover that they do actually posses it. A lack of control and poor records contribute to the problem of protecting identities.” Room advocates introducing independent data security auditors, recruited from the private sector and similar to financial auditors, to better protect customer data. He believes that this would be more effective than giving extra inspection powers to regulators. However, the government has already accepted that the UK Information Commissioner should have these extras powers in principle, at least for the public sector. It will only be a matter of time before these are stretched to cover the private sector as well.
There is no reason for universal doom and gloom though. Financial services businesses are not doing so badly, thinks ISC2’s John Colley: “When they get a leak, it’s well publicised but generally, I would say they are the industry that most other people follow. The ISF trade body annual survey does break down into various sectors and you always find that the banking and financial sectors score higher in terms of their controls and procedures compared to some other industrial sectors.” Reasons for hope therefore but not complacency; many more data leaks and the public may rush back to the branch bank for fear of sharing their financial information and identities – and no-one’s got the facilities to cope with that anymore.
>> other
supplement features
|
