Strategy + Business
In banking, as in other heavily regulated industries such as utilities and health care, keeping abreast of federal regulatory requirements is of paramount importance. To avoid an endless cycle of reacting to new regulations, banks [and business in other regulated industries] must anticipate the regulatory fallout from problems such as identify theft, and implement solutions that address existing and longer-term security issues. Leaders should consider decentralized security structures to enable a faster response to new rules. Making customers aware of new security measures is also vital and can help mitigate risk.

. . .

[...] Companies in heavily regulated industries, a group that includes pharmaceuticals, health care, and utilities, often act as though the regulations that besiege them are irritating trivialities. However, new requirements can offer companies an opportunity to escape the cycle. For instance, instead of maintaining an ad hoc approach to foiling invasions and complying with regulations, banks should craft an overall public-facing security strategy. Although it can be difficult to persuade senior management to invest in long-range plans, there’s no better time to do it than when they are in the shadow of an imminent regulatory deadline — especially one that is disrupting the entire organization as the company marshals its resources to deal with it.

For example, in aiming to go beyond regulatory compliance and achieve security excellence, banks can institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they will meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address customers’ concerns about the security of online banking.

[...] The second element is an effective organizational structure to manage the initiative. A common roadblock to implementing new security standards is a decentralized company, which can lead to inconsistent approaches to IT security across the enterprise, along with incomplete monitoring and accountability. However, piecemeal fixes will not work. Grafting a centralized security program onto a decentralized organization often results in the corporate equivalent of organ rejection.

How might banks address this issue? They can create a hybrid centralized–decentralized model, in which critical compliance activities and governance oversight are centrally managed, while less critical functions remain with the business units. Alternatively, banks can construct enforcement mechanisms that shift the burden of compliance to the heads of the business units, rather than keep it centralized at corporate headquarters. Regardless of the specific solution, banks can manage risk exposure and regulatory compliance in a uniform fashion only if they have the requisite organizational structures in place.

The final element of a robust risk-mitigation program, customer awareness, can be a key component of a company’s defense against fraud and identity theft. A well-educated bank customer can more easily spot phony come-ons, like phishing e-mails, and avoid being deceived. In fact, many banks are finding that educated consumers are their front line of defense in reporting phishing and other fraud attempts. One basic but effective measure is to advise customers to always type the bank’s Web address into their Internet browser rather than click on a link in an e-mail, because the e-mail may be fraudulent.

Furthermore, making customers aware of enhanced online security is a key differentiator in the marketplace. In a 2005 survey by Deutsche Bank Research, “security offering” was far and away the most important feature to prospective online banking customers, with 87 percent calling it their top priority. A well-publicized security program could prove a significant lure to new customers in the highly competitive banking environment.

Any highly regulated industry will face similar vicious cycles of its own and should be thinking about approaches for leaping ahead of regulatory requirements. The common thread is that simply responding to regulatory guidance will never be enough. Anticipatory thinking is the only way to avoid being caught in the middle of an endless series of provocation and regulation.

Labels: risk mitigation, security

(0) comments

SFGate.com based on an AP feed

Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

The Homeland Security Department confirmed it was monitoring what it called 'anomalous' Internet traffic.

"There is no credible intelligence to suggest an imminent threat to the homeland or our computing systems at this time," the department said in a statement.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. "Maybe to show off or just be disruptive; it doesn't seem to be extortion or anything like that," Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.

The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in "org" and some other suffixes, experts said. Officials with NeuStar Inc., which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic.

Among the targeted "root" servers that manage global Internet traffic were ones operated by the Defense Department and the Internet's primary oversight body.

"There was what appears to be some form of attack during the night hours here in California and into the morning," said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin.

"I don't think anybody has the full picture," Crain said. "We're looking at the data."

Crain said Tuesday's attack was less serious than attacks against the same 13 "root" servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe.

Labels: attack, hackers, root server

(0) comments