CIOZone.com - Professional Network for CIOs and IT Professionals

By Michael Eggebrecht

Financial firms have relatively strong perimeter defenses against viruses and malware, according to a survey of information security vendors. Now, the financial sector needs to focus its attention on internal data loss.

"Internally controlling and recording access to sensitive information is becoming mission-critical," said Nick Holland, senior analyst at research firm Aite Group, in a statement. Holland spoke with about two-dozen vendor employees, more than half of whom pointed to internal data breaches--both malicious and accidental--as financial firms’ biggest vulnerability.

The report cautions that data-loss prevention (DLP) software may be an "under-marketed area" that technology providers are hyping. However, it adds, "few of the vendors interviewed had DLP solutions and [they] were not product pitching. Instead, there seems to be a legitimate concern that data access privileges are out of control."

Are the concerns consistent with those of financial institutions? External attacks are probably more of a priority, Holland told CIOZone, particularly in the wake of the data breach at Heartland Payment Systems. But, he said, "with employees literally given the keys to the safe, and with the current economic climate causing a culture of insecurity for employees, financial institutions are increasingly concerned about insider data leakages."

CIOs and chief information security officers have to balance data security with demands from the business for systems that are convenient and accessible. According to vendor respondents, DLP technology, which provides access controls and audit trails for employee activity, is an area in which firms are willing to invest, even in the current environment.

"We have found that the case has to be well made and ideally indexed to ROI," said Holland, "but where the technology is seen as mission-critical, procurement is made possible."

Still, 60 percent of survey participants said that obtaining resources is the biggest issue for CISOs. "Budgets are hard to justify internally when threats are hypothetical rather than real," says the report. "Making the case for resource allocation is a constant struggle, particularly in an economic environment in which budgets are increasingly scrutinized for excess fat.

Comments (6)

	1. 06-18-2009 09:43
	Great. Banks hawk services that guard against identity theft (Citi's Identity Monitor, for example, which costs $13 a month). Yet they are some of the biggest resellers of customer lists. And now we find out that banks are apparently wide open to data theft committed by their own employees.    Fine business. Seems like banks are causing the malady, then hawking the remedy. Registered

John Goff

	2. 06-18-2009 11:40
	"Internally controlling and recording access to sensitive information IS BECOMING mission-critical."    That's incredibly reassuring. I briefly worked at a large financial institution a number of years ago. It was amazing how easy it was to view customer information for no reason whatsoever. Sounds like things haven't necessarily changed. Registered

Matthew Quinn

	3. 06-18-2009 11:52
	I worry about social engineering attacks on this front as well. Imagine someone who goes dumpster diving and armed with the right information extract sensitive financial information from authorized personnel at a bank. There needs to be a course of some kind financial employes have to attend to learn about all types of tactics used to extract data that can lead to financial gain for criminals. Registered

Jay Rajani

	4. 06-18-2009 12:16
	I just save everyone the bother and post the last four digits of my social security number and my mother's maiden name on my Facebook page. Registered

Matthew Quinn

	5. 06-18-2009 12:32
	I want to be like Todd Davis and take a billboard out and have my social security number on it! Registered

Jay Rajani

	6. 06-18-2009 14:58
	This challenge is even greater for organizations that rely on independent affiliates to provide them an order flow (brokers/agents in real estate and insurance, merchants in credit card processing, etc.) given the different practices employed in each organization; many of the smaller independent affiliates do not have formal policies governing the handling of sensitive data at all. I think the deployment and adoption of PCI in the credit card processing industry is an interesting case study that highlights these challenges and the concessions that need to be made out of practicality of doing business. Registered

Frederick B. Kauber

Only registered users can write comments.
Please login or register.