Security relies on new technologies

Bob Tarzey: It is not just immediate data losses that have to be paid to customers

Many data leaks are due to the carelessness of third parties, rather than the banks themselves.
They are also caused by sloppy handling of credit card details by retailers, government departments that are cavalier in their handling of citizens’ data, or consumers falling victim to scams.

But what can the banks do to maintain customer confidence?
First they need to make sure that whatever dangers outsiders expose them to, they know who is doing what on their own systems.

This requires strict asset management and auditing of access to data and how it is used. But it also needs to go beyond this. Internal processes for handling data need to be clearly defined
and easy to follow. It is all too easy to blame a lowly employee for being naive enough to put an unencrypted disk in the post, but they were only trying to do their job and poor processes allowed them
to copy the data to the disk in the first place.

Accountability needs to be pushed upwards to those who define the processes.
It is not just banks’ employees who need better education, it is customers too. Customers like internet banking and the immediate access it gives them over their own financial affairs.

Nearly all customers are on the same side as the banks; they do not want to provide thieves with access to their accounts any more than the banks do, but many are still duped by seemingly obvious scams.

Much financial fraud is not down to direct access to individual accounts but is through fraudsters applying for loans, for example, by successfully passing themselves off as a respectable individual.
With a list of details including names, addresses, dates of birth and account details that the UK government at least, seems to make so readily available to anyone, this can be all too easy to do.

Here, banks can invest in technology that can spot when a PC is likely to be used for making fraudulent applications.

Vendors such as Iovation provide technology that spots anomalous activity, such as serial loan applications from a single device and maintains a library of known rogue devices.

Banks will never be able to completely curtail bad data management practices by outsiders, but ultimately it is the banks and the banks alone that have responsibility for who can access their systems and who they dish our money to.

If banks can demonstrate firstly that they are not themselves responsible for data leaks, that they share data with third parties securely and that when data is leaked their access controls and processes for handling potentially fraudulent applications are water tight, then they should be able to maintain customer confidence.

Not getting all this right can prove very expensive.
It is not just the immediate financial losses incurred through theft and the compensation that might have to be paid to customers.

It is the more serious long-term damage to brand reputation and the loss of customer confidence and loyalty that is likely to entail.

Quocirca’s report Banks and data leak prevention is available free of charge to all CRN readers. Visit: www.tinyurl.com/2rrxgv

Bob Tarzey is service director at Quocirca.