As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

1)  Keeping up with Compliance

What if you find your organization already maxed out in terms of physical and/or financial resources to achieve compliance?  This is a major issue for some financial institutions, especially the smaller ones.

“With Banking and Finance being a major market sector for BAI Security, we speak with a large number of financial institutions and many are struggling with compliance.” says Michael Bruck, President of BAI Security, a leading Managed Security Services firm based in Chicago.  “Of course, the smallest organizations are hardest hit, but we’re seeing institutions of all sizes struggling to revise and expand budgets to allow for new technology and personnel.” 

Historically, the Credit Union National Association finds that only about 10 percent of credit unions have a person dedicated to compliance.  The others generally rely on a senior officer to handle this area – on top of their other non-security responsibilities.  Security is too often put lower on the priority list and this causes shortcomings in their security program and obvious increased risks to the organization.

However, it’s not just the smaller credit unions that face these issues, as pointed out by Mr. Bruck.  Small and medium sized banks are also facing challenges in redirecting funds and resources from an already overburdened IT department.

The consensus for this issue seems to be doing more with less.  This isn’t to say pile more on your already overburdened personnel, but spend smarter and take advantage of economies of scale.  The amazing growth of IT outsourcing, specifically in security, is by and large driven by demand.  This demand in-part is coming from organizations that have learned to do more with less and are succeeding.

2)  New Regulations

As if the current regulatory requirements were not enough, here is a sampling of what to expect in 2008:

·         ID Theft Red Flags – compliance deadline is November 1^st. 

·         New FFIEC Requirements – update to the IT Examiners Handbook is expected in 2008

·         FFIEC Pandemic guidance – potentially the biggest business continuity issue of 2008

·         FDIC IT Risk Management Program amendments – the new exam questionnaire is out and it deals with new issues such as vendor management.  You can only expect other regulators to follow suit.

·         Anti-Money Laundering – the Bank Secrecy Act examination manual was revised in 07’ and there’s every reason to expect new requirements in 2008

·         BASEL II – As banking institutions domore business internationally, then increasingly they must meet these recommended global banking standards.

Whether you institution is working toward compliance on ID Theft Red Flags or the recently released FFIEC Pandemic Guidance, “Make sure your risk assessments are current and up-to-date,” says FDIC spokesperson David Barr.

3)  Insider Threats

“One of the areas we see a dramatic increase of concern is over data leakage,” says Michael Bruck of Chicago-based BAI Security.  “The ease in which an individual can export sensitive information from an internal network is chilling for many institutions.  We often conduct such evaluations during our Security Audit program and demonstrate just how easy and undetectable the process can be in most environments.”  Even with the headlines and various forms of education on this subject, BAI Security recently reported that as many as 40% of institutions responded in a recent survey that they were concerned their organization has been a victim of data leakage.

As noted by many security experts, you can’t detect what you’re not monitoring for on your network.  “The technology exists today and is used in our Managed Security Services,” as Mr. Bruck points out “that monitor, detect and even block sensitive information going out of the organization within a wide-range of applications.  We are also monitoring and/or controlling where users can store information off-site for many organizations.”

The key here seems to be that more monitoring is greatly needed in order to curtail this activity.

4)  Identity Theft

It’s the fastest growing crime in America, with 27.3 million victims in the past five years and nearly 20 million in the past two years alone.  The entire industry most answer how they are protecting customer information.  Institutions need better mechanisms to verify new account openings, especially in the online environment.

Institutions also need to work closely with local law enforcement to fight indentify thieves.  Further cooperation between public and private sectors "is the only way that we, as a society, can fight identity theft," says Identity Theft Assistance Center's President Anne Wallace.

Wallace notes there have been positive steps:

·         Recommendations by the White House Task Force on Identity Theft;

·         Growth of state and regional task forces devoted to identity theft;

·         Initiative by Bank of America and the International Association of Police Chiefs to provide new tools for local law enforcement;

·         Institutions also have been urged by regulators and the ID Theft task force to reduce the use of social security numbers as identifiers for customer accounts.

For 2008, institutions can expect to see a continued increase in identity thefts through financial fraud. Individuals will see personal information leaked over the Internet through blogs and personal web sites. Personal identifying information will be posted, traded, sold over the Internet, instant messaging, internet relay chat, (IRC), and other electronic platforms, as well as social networking sites.

5)  Data Breaches Caused by Human Error

"We have met the enemy and he is us," was the statement made by the comic strip character Pogo near the end of the Vietnam War. The unaware employee, consultant, contractor or third party service provider staffer is an institution's worst enemy.

To avoid becoming the industry's version of a TJX-level data breach, institutions need to develop corporate policies that protect the organization from employees' electronic behavior occurring outside the corporate perimeter.

Away from the protected network, users are more vulnerable and less secure. Human error can lead to leaking sensitive information on blogs, instant messenger, through chat rooms and texting. Inadvertent human error is a constant and will continue to contribute to lost laptops, PDAs, and other sensitive equipment.

Dennis Gorges, Corporate Compliance Officer at Industry service provider Jack Henry sees the human cause of data breaches broken down into three types:

·         Intentional (malicious);

·         Unintentional (they should know better)

·         Accidental (lost tapes).

Financial institutions need to develop robust incident response and privacy breach management programs, and need to include all levels of the enterprise, include everyone in the planning and testing, so that when a breach occurs, everyone knows what to do.

FDIC's Barr also cautions institutions should ensure they are in compliance with other government agencies requirements (GSA and OEM have certain data breach requirements). "Institutions should be looking at those to make sure they are in compliance if they did experience some sort of a breach," Barr says.

6)  Business Continuity – Pandemic Planning

For the past three years, financial institutions have heard the buzz about the possibility of a pandemic. In 2007, institutions saw more action by the Department of Homeland Security, federal banking regulators and the industry organizations charged with planning the industry's preparation for a pandemic. The Fall 2007 industry-wide pandemic test showed that institutions are readying their staff and operations for a pandemic. Bad news is that not enough has been done, according to the self-assessment survey conducted after the three week event.

The second set of FFIEC guidance on pandemic planning was released at the end of 2007, and institutions can expect that their regulators will ask about their pandemic plan and will want to see it as part of an overall BCP/DR plan for the institution. Roger Blake, Senior Information Systems Officer at the NCUA's Division of Supervision, says from an IT perspective regulators will start the year with enhanced focus on BCP and pandemic planning.

Elements to include in your institution's pandemic plan include a preventive program to reduce the pandemic's impact on operations; a comprehensive framework of facilities, systems and procedures to continue critical operations if large numbers of staff are unavailable for extended periods; testing of the plan and oversight to ensure timely updates; and ongoing review of the institution's pandemic plan.

7)  PCI Compliance; Debit Card Fraud Protection

Complying with the 'digital dozen,' or the Payment Card Industry's 12 requirements for data protection, is a challenge for most financial institutions. But the price of not complying with PCI is costly -- just ask the TJX Companies, which settled the first of several court cases that may cost the global retailer upward of $500 million. Compliance with the PCI Data Security Standards means that your institution is better prepared to protect not only credit card data, but the rest of your institution's information.

With losses mounting into the billions (Gartner reported $2.75 billion lost to debit card fraud in 2005) the securing of your customer's cash needs technology solutions. One example is the Bank of America offer to notify a customer when a transaction has taken place, or alert them to any suspicious charges or changes to their account via email as soon as they occur.

8)  Employee and Customer Awareness Training

It's something everyone intends to do - better educate their employees and customers about the security threats that are facing institutions and customers. Now with the ID Theft Red Flags, it's also been pushed to the top of the compliance list. Institutions by Nov. 1 must have a written program showing how they are educating their employees and customers about identity theft.

American Banker Association's Doug Johnson, senior policy advisor for the largest industry association, lists this as one of the top risk management issues for 2008."Increasing your institution's security awareness pays off in several ways -- employees learn how to protect the data they're working with, and their awareness reduces the threat of the insider threat (either malicious or unintentional)," says Johnson. Many times the malicious insider can be stopped, if the people working with them are trained and are aware of the red flags that show the work habits and behaviors of a malicious insider. Do your employees know what to look for, what indicators there are that an insider is doing something on your networks or to your institution's data?

Bentz at Sandy Spring Bank plans to enhance the security awareness program for clients and employees. "It is an ongoing effort to educate employees and clients on risk and protection," he says.

9)  Criminal Attacks

With the increased number of online attacks against financial institutions in 2007, including more sophisticated phishing and other types of criminal attacks aimed at both institutions and their customers, the coming year looks to be more of the same.

In January 2007, the internet criminals hit users worldwide with the Storm botnet. Because of such types of attacks, security analysts predict online banking services need to be better secured. One example of this from the late 2007 is the case of an unnamed bank in the Midwest that hired a firm to perform a penetration test against its online banking site. The penetration testers took only five minutes to crack into the site with a fairly well-known type of SQL injection attack.

"We're going to see the usual list of suspects in 2008, in the fraud space particularly, with the evolving nature of fraud, phishing continues to evolve," says Aite's Weber. "Financial institutions are certainly instituting measures to stop phishing; it's difficult to rein in those customers who are perhaps still prone to phishing or pharming and are still giving out their personal information."

On the horizon also looms a new type of sophisticated Trojan, says FDIC's Barr. "There are some newer 'banker' Trojans that can really attack systems. And they're difficult to track and identify. So institutions should come up with some sort of a game plan to protect their systems."

In addition to traditional phishing attacks, institutions also need to prepare for malware-based attacks. This type of attack distributes malicious content to unsuspecting users through Web site visits and nefarious downloads.

Institutions are also cautioned to protect their high-end customers and their senior officers from individual targeted attacks. With so much available data on the Internet, CEOs and other individuals put themselves at risk for cyber and physical threats by protesters, activists and political groups. The internet has made it easier to access information about individuals, making them more accessible targets.

10)  Managing Third-Party Risk

The FDIC sees vendor management as a trend important enough to include in its updated IT Risk Management Program Examination Procedures questionnaire in December 2007. Other banking industry regulators are also expected to look more closely at how their regulated institutions are managing their third-party service providers, and how strenuously they are examining the vendor's information security program and data protection strategies.

Responding to known and new security risks posed by using third parties is key, says Aite analyst Weber. Knowing what your outsourcers are handling, and being aware of how they are protecting the data in their care is paramount to security, she notes.

For institutions that have slogged through innumerable questionnaires and onsite audit requests to vet their third-party service providers, the pilot of the Financial Institution Shared Assessments Program (FISAP), a shared assessment program by several of the largest financial institutions under the aegis of the Financial Services Roundtable and BITs.org, offers hope. The FISAP, once fully operational, will reduce the need for individual assessments of service provider's, enhances members' internal risk analysis processes, and will allow financial institution's to align service provider testing with industry regulations.