IT Security: Human Factor and Human Rights
The technologies, used to build up IT systems protection, need to keep up with organizational measures, incentives and awareness programs at banks. The human factor, including lack of attention, breach of "inconvenient" regulations, might open up a path for confidential information insider dealing, if not an immediate loss of data.
"CLOUDS" AND PERIMETERS
The need to ensure protection against outside perpetrators continues to top the list of targets that any bank's IT Security Department seeks to attain. However, the task of protecting the IT system perimeter at a bank has become increasingly more complicated, when you factor in higher-than-ever capabilities to transfer any data by using today's telecom technologies. Today, the perimeter that the IT security systems guard becomes unclear and prone to penetration, mainly because of active use of e-mail, Skype and other popular e-pagers, social media, data storage cloud technologies and mobile gadgets that bank employees use, and not outside attacks.
Of course, it is not only banks that have to deal with this issue. In august this year, Irina Yarovaya, Chairman of the Committee for Security and Anti-Corruption of State Duma, told the mass media about the deputies' initiative to make it a criminal offense for public officials to transfer insider information by external messaging services and cloud technologies. I. Yarovaya believes that cases of using such technologies are equal to posting documents for general public to access. A disclosure of insider information via private channels is treated as equal to passing state secrets, punished by penalties, set forth in the RF Criminal Code.
Such initiatives are hard to evaluate in terms of their effectiveness, in particular, regarding their application in private companies. At a first glance, the initiative might seem as a totally populist measure. A blanket ban on using any new communications technologies is similar to a person isolating herself in the event of a flu outbreak: of course, a person would increase her chances to avoid infection, but at the cost of complete isolation from any social life. And today this is unacceptable for any bank. The IT security experts claim that confidential data protection cannot be defined as a clear-cut project, but rather as a continuous and creative process, bringing together organizational, legal and technical measures, correlating with current environment and short-term expectations.
The experts believe that it is most useful to identify priority levels for protection of particular information and delineate a scope of access rights for such information. Any bank needs to clearly identify the critical data pools and IT systems used to process those. There is also a need to evaluate possible losses – financial and otherwise (such as damage to reputation or image) – that a bank would suffer if such data are wrongfully used, ways to access such data and probability of such contingencies. Only after a bank has addressed such issues, it will become clear what the scope, areas and hazards for such protection are.
For instance, accounting data, payment orders, etc. are traditionally assigned the highest confidentiality level. This requires a bank to spend most of the money on ensuring that these data are fully protected. However, the question that comes to mind is what financial losses a leak of a 20-dollar payment order would entail. At the same time, the very areas that bring in billion-dollar losses for banks – illegal dealing in customer data – are at the bottom of the list, as IT security experts lament.
RIGHTS AND REGULATIONS
This analytics-driven system to protect against insiders would transform from a technology project into a tool, capable to ensure economic security and attain business objectives that a bank has. We can assume that it is feasible to introduce more stringent regulations and policies for the front office and account managers: an employee may access the automated banking system only after successful identification and exclusively a clearly defined list of IT resources. Today, it is a conventional practice that a user needs to identify herself, using a login a password, an access card or flash token. Some of the banks find it worthwhile to roll out quite expensive biometric ID systems that ensure a higher level of identification reliability for both employees and customers. In addition, any actions that an employee takes are recorded and a digital signature that is similar to a handwritten one is used in order to prevent forging.
A scope of access rights that a user has is clearly defined for e-documents, including rights to review, edit and delete documents and attachments, set for databases and individual documents. The e-documents exchange systems enable to grant one group of users with the rights to edit particular documents, while another group of users might only be able to review and approve those. This way a clearly identified scope of access rights delivers a practical benefit, as it makes possible to track any changes made to documents and their flow. A bank needs to revise and update such lists on an ongoing basis to keep up with the developments.
DLP systems (Data Leak Prevention) are among the most efficient and effective solutions, but are also highly expensive. They enable to monitor data flows within an IT system that a bank uses. A DLP system enables centralized controls and capabilities to block USB ports, analyze incoming and outgoing Internet traffic, e-mails context, search by key words and set access parameters to the Internet.
Such systems enable triggers for a controller in the event of any signs of an insider activity.
However, IT security experts at banks are amazed at how easily any most complex encryption algorithms might be trespassed: users would just give their passwords to others or leave their keys and flash cards on the table. The banks see that most often they have deal with internal breaches, non-compliance with effective requirements, while users actually have not malicious purposes. It is much less frequent that they witness insider attacks or attempts to overcome restrictions imposed on an employee. Nevertheless, there is no question that the more often breaches occur, the easier it is to plan and execute an insider attack at a company. This is a reason fort IT security to take a greater effort on prevention and monitoring of compliance with established rules and procedures by employees.
The experts believe that the human factor may only be addressed by integrating the information and physical security systems that banks already have. Especially, banks need to build up strong identification procedures and roll out biometric ID systems. A bank needs to have capabilities to obtain an information track record and see all the actions that an individual employee would perform in her work. It can be achieved by using CCTV systems, access controls and passes. In addition, a bank needs to set up a list of regulations, compliance with which the IT and physical security systems should track. Some banks have started to track activities of IT administrators and even IT security specialists. And it is not completely unjustified: as practice shows it is exactly privileged users that would attempt to breach confidential information.
CUSTOMERS AND MANAGEMENT TEAMS
The experts concede that such measures work well only in the front and middle offices. However, it is hard to roll out standard security solutions across business-generating, sales departments and managements teams, primarily because of the detrimental effect that they would have on business drive, rather than management privileges or chain of command.
There is always a chance that the security requirements hampering a development path would be just ignored. Meanwhile, a mobile device that a manager uses in her business trips is included within the corporate IT system and presents a large-scale cache of confidential and valuable information. As a result, the IT security systems would quite often be incapable of monitoring the scope of information that the bank employees access.
And a number of leaks is constantly growing. All of this makes IT security experts claim that it is uncontrolled flows of most valuable data within the protected perimeter that pose the most significant hazard, rather than data leaks. Today, it is paramount for IT security systems at banks to drive the following objective: identify critically important information and build up capabilities to monitor its flows, irrespective of an individual device used to store it, as it is possible that there might occur both accidental losses and intentional theft of an external storage device or notebook to access confidential information.
Looking at the bank business activities, it is evident the scope of IT security issues should also cover threats, associated with customer interactions. It is not unusual for a bank to identify malware installed on a device that a customer uses to interact with the bank IT systems. Naturally, this poses a potential threat for the IT systems that a bank rolls out, and it will not be possible to eliminate the risks by only introducing regulations – there is a need to have a broader vision. Financial players need to build up their IT security systems in such a way as to enable operations of some security services that focus both on the bank itself and its customers. It is necessary as the risks that customers pose for the bank are no less significant than those that arise as a result of malicious actions by an employee (insider dealing) or human factor.