PLANO, Texas, March 12 /CNW/ -- EDS (NYSE: EDS) has identified eight key
security risks that should be of utmost concern to financial institutions. The
importance of security and operational risk management has grown tremendously
due to a variety of factors, including growing regulatory requirements,
increasing security risk from insiders and the growing number of data security
Financial institutions are currently responsible for customer and
corporate security at three separate levels: the financial institution
(including network and infrastructure all the way to employees and agents with
access to data), service providers (outsourced functions must still include
management responsibility by the financial institution) and consumers
(consumer end-point vulnerabilities can jeopardize a financial institution's
security). Financial institutions only have direct control over one or two of
these levels, and the rapidly evolving environment is changing the way they
approach security and operational risk management. EDS recommends eight risk
priorities that financial institutions must consider to minimize the
possibility of security breaches.
1. Securing Data Outside the Organization - Since regulators demand
that non-public personal information be backed up and stored off-
site, risks arise because large banks do not have the
infrastructure to support the bandwidth required to move all their
data electronically. When tapes or other removable media are the
storage medium of financial institutions, dangers can arise,
through the loss or theft of this media during shipping. The
encryption of all data that is moved offsite is crucial, but
should be mandatory for portable end- user devices such as laptops
and PDAs, as well as all removable media.
2. Security and Privacy Controls of Service Partners - Privacy and
security regulations dictate that financial institutions are
ultimately responsible for the actions of their service partners.
Therefore, a key risk management priority becomes the assurance
that both domestic and offshore service providers have adequate
security and privacy controls to detect and prevent breaches in
the confidentiality and integrity of customer information.
3. Insider Threat - While financial institutions have put appropriate
measures in place to protect against external threats, it is
generally accepted that the majority of data losses today are the
result of the "Insider Threat." Employees or contractors, whose
roles allow them access to significant personal and confidential
information have often been the causes of information loss.
However, systemic problems and accidental employee actions are the
most frequent forms of potential data loss. Financial institutions
need to consider the deployment of data loss prevention tools.
These tools cannot only monitor and optionally block outbound
sensitive communications of all types, but they can also verify
that no personal or confidential information has been stored on
widely accessible shared drives or Web servers. Many tools also
now provide very granular control of end-user devices and can
selectively prevent copying and pasting or writing to removable
media of personal or confidential information.
4. Wireless Woes - Wireless devices and connectivity are still
relatively new to the financial services industry, but they
represent additional security complications. Wireless devices
improve productivity, increase business agility and reduce costs,
but mobile nonpublic information must be secure. Mobile devices
are particularly vulnerable, as they are easy to lose or steal,
and capable of holding a large amount of nonpublic customer and
corporate data. One of the growing risks comes with employees or
customers using an unprotected airport, hotel or other public
wireless connection. Financial institutions must provide secure
communications mechanisms for all of their mobile employees and
contractors so that all wireless communications are encrypted and
cannot be compromised when no secured wireless facilities are
5. Evolution of Criminal Schemes - To stay ahead of the criminals,
financial institutions must take a proactive, rather than a
reactive, approach to security. This means constant reassessment
and evolution of security efforts. Strengths and weaknesses of
corporate policies and procedures, as well as consumer-facing
security measures must be evaluated regularly in order to make
appropriate adjustments and encompass the latest technology,
criminal and security trends. Today, one of the biggest threats
facing financial institutions results from "phishing" attacks.
While early phishing attacks were very basic, recent "man-in-the-
middle" attacks have become far more sophisticated. Through
participation in groups such as the Anti Phishing Working Group
(APWG), financial institutions can collaborate with other
organizations to help early identification and takedown of
phishing Web sites.
6. Identity and Access Management - One of the key challenges facing
all organizations today is that of Identity and Access Management.
Ensuring that system and application access is limited to those in
roles with a "need to know" is one of the challenges. This is
being addressed through the integration of human resources systems
with underlying access control systems. Other areas of rapid
development include single sign-on and multifactor authentication.
All of these can contribute to making the financial institution's
infrastructure more secure from external and internal threats.
Federated Identity Management systems will also help alleviate the
challenges that financial institutions face with respect to
providing system and application access to their business
7. Consumers - They can be careless by using simple passwords, losing
their ATM card or writing down their PINs, any of which can lead
to unauthorized account access and ultimately fraud. Consumers
often do not have adequate or updated security on their personal
devices, which can result in security breaches during sessions on
their financial institution's Web site. Because consumers
recognize that financial institutions absorb the cost of
fraudulent transactions, they tend to be less security conscious
than they might otherwise be. As consumers continue to be
susceptible to scamming or phishing, financial institutions need
to constantly educate consumers on the security measures they
should be taking, not only to protect themselves, but also to
reduce the risk to financial institutions.
8. Regulations - Due to regional variations, financial institutions
have varying security challenges based on their geographic
location. In North America, highly publicized security breaches
and regulatory change are placing an increased emphasis on banks'
data security. These recent regulatory changes in the United
States have prompted European institutions to step up consumer
information protection under the assumption that European
legislation will soon be more involved with this widespread
concern. Basel II compliance will eventually require all financial
institutions globally to tighten operational risk management and
mitigation policies and procedures. Most importantly, identity
theft notification laws that have been enacted in 36 states have
had the greatest impact on financial institutions, with
compromised records costing an average of $182 each. In addition,
data disposal rules can also lead to breaches, but can be
minimized with new technology, including new data collection that
allows customers opening an account to never have their
documentation leave their sight.
Some 25,000 EDS employees work on finance-related projects for about 200
customers in 30 countries for clients such as ABN Amro, Aon, Bank of Canada,
Bank of Queensland, la Caixa, CIBC, Commonwealth Bank Group, KBC, Korea First
Bank, Lloyds TSB, Royal Bank of Scotland, Societe Generale, Visa and Westpac.
EDS is a leading global technology services company delivering business
solutions to its clients. EDS founded the information technology outsourcing
industry more than 40 years ago. Today, EDS delivers a broad portfolio of
information technology and business process outsourcing services to clients in
the manufacturing, financial services, healthcare, communications, energy,
transportation, and consumer and retail industries and to governments around
the world. Learn more at http://www.eds.com .
Annabelle Baxter - EDS Media Relations
972 605 0978
For further information:
For further information: Annabelle Baxter, Media Relations of Electronic
Data Systems Corporation, +1-972-605-0978, or email@example.com Web