Enterprise Services Blog
Get the latest thought leadership and information about the role of Enterprise Services in an increasingly interconnected world at HP Communities.

When compliance is not enough—a new approach to data security and banking

G5502049082006_JPGHighres.pngWhen it comes to security and privacy, there isn’t a standard high enough for banks and their customers. With an increasing amount of transactions being handled digitally and from other channels, it is critical that banks offer the most comprehensive processes and standards and privacy. Customers also need to experience a consistent level of confidence and confidentiality across multiple platforms from multiple channels, such as the teller line, customer service phone numbers, ATMs, kiosks, online, mobile devices, tablet, or otherwise. Banks and financial institutions also have additional layers of complexity concerning compliance and regulatory requirements.  

 

The velocity of the threat environment has increased to such a degree that policy, software, and hardware are constant, and deploying a fluid comprehensive strategy is critical to stay on top of it.

 

To understand how to exceed both customer and compliance expectations, we sat down for a brief interview with two HP experts. Here’s what Ross Feldman, Director of Industry Strategy, U.S. Financial Services and Jeffrey Lewis, Global Security Product Marketing Manager for HP Enterprise Services have to say.

 

ES: How has cybercrime evolved, and how are FSI’s staying ahead of the game?

RF: One aspect we are certainly seeing is that fraudsters and hackers aren’t operating alone. They are highly organized professional organizations. They are generally not single individuals trying to steal someone’s credit card number, but highly sophisticated operations that are looking to steal the data and credentials from millions of accounts. So that’s one evolution that is troubling. The other is that they are becoming more and more sophisticated. So not only are they alone, but they are also smarter and more nimble. Consequences of a security breach are measured financially—and can be extraordinarily high, as well as damaging to an institution’s reputation. Impacts can be long lasting as well.

JL: I agree. I’m sure you’re familiar with the Ponemon study that HP commissioned last year. The most troubling statistics are the ones involving timing. At the time of the study, it took 24 days to recover from an attack. That’s a general statistic, across a number of industries. Due to the characteristics of compliance and some of the regulatory legislation, the figures for Financial Institutions are pretty staggering. Remember, banking and security isn’t something FSIs outsource. So our role is to back up the resources these companies have in place and offer the best service and advice possible for their given situations. For banks, mere compliance is not enough. Their ability to recover from attacks lies in their ability to think ahead and anticipate.        

 

ES: As you work with banking clients today, which areas are proving most difficult for them as their security strategy evolves?

RF: The rapid rate of change financial institutions are faced with. Making everything work together harmoniously is a challenge for them. We’re talking about making sure data and information stays secure at every touch point—ATMs, tellers, online, mobile channels, etc. Each of those provides an opportunity for access to data. If that data or process is unsecured, the threat environment is active. Institutions must deploy strategic and tactical plans to mitigate against harmful impacts, understand their processes, and have deep Know Your Customer (KYC) understanding. The more you know about your customer relationship, their behaviors and general activities, and the way they choose to interact with you, the better.

JL:  I think the other thing to keep in mind is the massive growth of suppliers and processors the industry has seen due to the regulatory requirements. For example, merchants have more choices of processors and networks, which bring increased payment routing flexibility. As a result, there are varying degrees of security in place, and the fraudsters naturally flock to the weakest link, thus exposing customers to the risk of fraud.

 

ES: So when data is transferred across an expanded set of payment networks, it potentially creates a risk. What advice (I don’t know if we can give advice) can you give to banking institutions as they work to manage these risks when interacting with suppliers or partners?

JL: So, here’s a sobering observation. Of the reports and alerts FSIs get concerning security breaches, 44 percent of them involve suppliers. So the issue isn’t that the bank has kept their eye off the security compliance ball, it’s that the supplier isn’t up-to-date with the regulations. As payment networks expand the potential for a serious attack increases almost exponentially. And it’s not always hackers and attackers. I’d say, by and large, the risks are created by human error. Most likely the risk was exposed due to fatigue or mistakes. There are, of course, situations where activists have leaked vital security information, but mostly it comes down to simple human error.

 

ES: Financial institutions need to develop effective strategies to move from a reactive approach to securing information to a more proactive security posture that helps them protect their assets and their customers against threats. What are some examples of key things to consider as banks move to this more proactive approach to security?

RF: I’d echo what I said before: KYC—Know Your Customer. That goes for the supply chain as well. Before you can create a strategy, you have to vet your suppliers and processors. You are only as strong as your weakest link. And it’s not really enough to work toward compliance. You need to work hand in hand with internal risk, security, and compliance, to design, develop, and deploy the right strategy that is strong, fluid, and able to evolve with the market..

JL: I have conversations with CISOs of FSIs on a regular basis. Here’s what I tell them: Have a strategy in place where you can identify threats early; know the limitations of your IT security organization, and supplement them where needed; and extend your compliance requirements to everyone operating within your perimeter.

 

HPB20132_CloudInBanking_Cover-335x399.pngFor more insight into the banking industry—and how HP is helping our clients fight cybercrime—read the recent Innovations in Banking Edition of the “Industry Edge” ezine. Learn more about how HP is addressing security at www.hp.com/go/security

Labels: Banking| FSI
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation