Confidentiality is king when it comes to private banking and wealth management. Increasingly, banks and asset managers are using the Interne...
Confidentiality is king when it comes to private banking and wealth management. Increasingly, banks and asset managers are using the Internet to provide personalised online services to their premium clients. But the past decade has shown that there is a dark side to the Internet; just as it makes finding information and doing business easier, it also makes it easier for the unscrupulous to access confidential information.
The DTI information security breaches survey (www.security-survey.gov.uk) provides a good insight into the security risks that UK businesses are facing and the how they are controlling them. The survey takes place every two years and the most recent survey results were released in April this year.
Overall, the survey results show that UK companies give a high priority to information security and are investing more than ever in their security controls (roughly 4-5 per cent of their IT budget on average).
This investment appears to be paying off, with fewer companies reporting security breaches than two years ago. Large companies, who tend to have invested more in their security defences for longer, are reaping the rewards, with the total cost of security breaches to them falling by 50 per cent over the last two years.
However, there is no cause for complacency. The cost to small businesses is rising rapidly, with the overall cost of security breaches in the UK up by 50 per cent over the last two years to a total of roughly £10 billion per annum.
The DTI survey covers all sizes of companies across all sectors and regions. From a private banking perspective, the results for financial services companies are particularly interesting. Out of the thousand companies in the survey as a whole, 88 respondents were from financial services ranging from very small companies (typically brokers) all the way up to very large multi-nationals.
Perceived wisdom is that the financial services sector is the most security-conscious of all sectors, because they are targeted most by criminals. Willie Sutton, the prolific US bank robber is alleged, when asked why he robbed banks, to have responded “because that’s where the money is”. Willie Sutton used disguises and guns in his robberies, but banks have been the target of computer fraud right from the start.
In 1978, Stanley Mark Rifkin exploited lax security at the bank at which he worked to con staff into transferring $10.2 million of customer funds to his personal Swiss bank account; in the process, he became the first computer robber.
In 1994, Vladimir Levin led a Russian hacker group that carried out the first publicly revealed international bank robbery over a network; he used a laptop computer to dial into the Citibank network, obtained a list of customer codes and passwords and then over a period of weeks transferred $3.7 million to accounts his group controlled around the world.
So, given all of this history, how secure are financial services companies today? Let’s start with the good news. Senior management at financial services companies gives a higher priority to information security than any other sector. Seventy-two per cent believe it is a very high priority to their board and a further 22 per cent say it is a high priority. Only 1 per cent say it is a low priority.
As a result, the average expenditure on information security for a financial services company is roughly 6 per cent of IT budget, the highest of any sector. What’s more, expenditure on information security is increasing faster in financial services than in any other sector. Sixty-one per cent report an increase and no one is reducing their security expenditure. Given this, it isn’t a surprise that financial services companies are the most confident sector about their security controls.
What about confidentiality? The survey results show that 84 per cent of financial services companies say they have highly confidential data, the biggest figure for any sector. Financial services companies are particularly concerned about protecting customer data. Eighty-nine per cent say this is a very important driver of their information security expenditure, and a further 9 per cent say it is important.
Compliance with laws and regulations is also particularly important in financial services, with 76 per cent rating compliance as a very important driver for their security plans. All of this has driven financial services companies to be among the best when it comes to adherence with the Data Protection Act. Eighty-nine per cent have documented procedures to ensure compliance. As a result, no financial services respondents reported any data protection breaches, making them the best sector in this area.
Of course, information remains confidential only if the access controls around it are strong. Here, the picture is less rosy. Financial services companies have a history of legacy systems and mergers and acquisitions. As a result, the average user in a financial services company tends to need more user IDs than a user in other sectors, roughly 4 on average.
This makes the administration of security roles within applications (such as the set-up of new joiners and removal of leavers) more difficult and time consuming in financial services, and potentially leaves confidential data open to abuse. It is perhaps surprising, therefore, that financial services companies are less likely to have implemented automated provisioning techniques than other sectors.
The last few years have seen a new form of attack on the Internet, where perpetrators create a web site that appears to be that of a legitimate organisation. They then lure that company’s customers to the site (e.g. through spam e-mail) and then gather confidential information provided by the customers.
These impersonation attacks, known as phishing, have been a particular issue for financial services companies, with roughly 5 per cent reporting that they had been targeted in this way. Some banks (such as Lloyds TSB) have started to roll out strong authentication techniques, so that users cannot easily be fooled into giving away their credentials. However, like other sectors, roughly four-fifths of financial services companies rely solely on user ID and password to authenticate users.
High net worth customers tend to be the first recipients of stronger authentication. This tends, for financial services to involve hardware tokens or smart cards rather than the software tokens that other sectors favour.
Surprisingly, the financial services sector has one of the lowest levels of awareness of the British Standard on information security management (BS 7799), with only 13 per cent of respondents aware of its contents. However, among those that are aware of the standard, financial services companies are most likely to have completely adopted the standard and to have significantly changed their security processes as a result. Ninety-one per cent of the adopters gained significant business benefits from the adoption, the most common being greater security awareness among staff.
Despite the lack of awareness of BS 7799, financial services companies are better than most sectors at adopting the good security management practices the standard recommends. Sixty-nine per cent have carried out a security risk assessment in the last year (compared with 44 per cent average across all sectors), and 61 per cent have a security policy (compared with 40 per cent average across all sectors).
However, this does leave roughly a third of financial services companies lacking basic security disciplines. Some of these appear to be significantly under-investing. Eleven per cent of financial services companies spend less than 1 per cent of their IT budget on information security. This includes some that rate information security as a high priority to their senior management.
Furthermore, despite their better general attitude to information security, financial services companies appear little better than other sectors when it comes to emerging technology risks.
Of the 39 per cent that allow staff to use Instant Messaging, a third of these have no controls over its use and most of the rest rely on an acceptable usage policy only. Financial services companies are one of the more advanced sectors in implementing Voice over IP telephony, with 40 per cent either having implemented or planning to do so in the next year.
However, half of these have not evaluated the security risks associated with the technology. More than half of all financial services companies have taken no steps to prevent staff from using removable media devices (such as MP3 players or USB tokens) to copy and remove confidential data from their PCs. Most of the rest rely solely on telling staff not to use such devices.
Given the publicity that there has been about insecure wireless networks, it is perhaps not surprising that only a quarter of financial services companies use wireless networks. However, 30 per cent of these wireless networks do not encrypt their transmissions. Similarly, financial services companies are most likely to ban their staff from using public wireless hotspots, but least likely to encrypt any wireless connections their staff do make.
As the famous general Douglas MacArthur said, “There is no security on this earth; there is only opportunity.” In the wealth management space, the challenge is to grasp the opportunities posed by new technologies to provide clients with better service (and make more money) while keeping the associated risks within everyone’s risk appetite.
Making sure that your business draws on available guidance and makes informed risk assessments is critical to achieving this. Better service (and profits) is possible, but only if confidentiality remains king.
Full copies of the DTI survey reports can be downloaded from www.security-survey.gov.uk. Further guidance on security matters can be found on www.dti.gov.uk/industries/information_security and www.getsafeonline.org. For more information on some of the wider issues affecting the wealth management sector, such as differentiation, open architecture and management information, see the Global Private Banking/Wealth Management Survey on www.pwc.com/wealth.