The UK Financial Services Authority (FSA) has published a report, Countering Financial Crime Risks in Information Security, outlining how financial firms are managing their information security in the fight against fraud and other financial crime.
The Risk Advisory Group (TRAG) says that the FSA's report confirms a number of weaknesses:
- The greatest threat to financial institutions remains their own staff
- Organised crime has moved on - it used to target bank employees. Now it sends in its own recruits to obtain confidential information
- Call centres with very high staff turnovers are vulnerable, as are major investment banks where uncontrolled support staff can leak price-sensitive information
- Financial institutions must get the basics right, from employee screening through to effective information security procedures.
According to Simon Owen, partner at Deloitte, the rising incidence of corporate impersonation - known as phishing - has increased pressure on financial institutions to raise consumer awareness of the risk, demonstrating that technical controls alone are insufficient to prevent financial crime.
He says: "Despite expending considerable effort to protect their information assets against attacks by outside hackers, most firms overlook the human element of financial crime. Basic computer access controls and effective monitoring of user activity can help prevent such crimes.
"All too often, firms invest in computer security as a knee-jerk reaction to loss. Firms need to assess the risks to their information assets and maintain preventative as well as reactive capability, to ensure their computer controls are capable of mitigating external and internal threats.
Owen maintains that many firms have outdated information security policies that do not reflect today's blended threats, leaving them vulnerable to fraud. Furthermore, even where reasonable policies exist, failure to deploy them effectively or to train staff in their use, limits their value.
Thor Technologies, Inc, the secure enterprise provisioning company, believes that many of the problems highlighted by the FSA can be quickly and easily resolved using automated provisioning systems. Michael Burling, managing director EMEA of Thor Technologies, comments: "When financial organisations first started using IT, the main point of entry was the mainframe, and access was predominately a manual process. In the last two decades, however, the industry has seen many new technologies and systems introduced and, as organisations have grown, access to key solutions has become a time-consuming task."
Many financial institutions now have thousands of systems to manage, and administrators even more tasks to perform, including the resetting of passwords. Added to this is the pressure to grant new members of staff, including temporary workers, instant access to the systems they need to successfully fulfil their role, says Burling.
"With scant regard to security, the main focus of many financial institutions has been to grant access to employees quickly. Removing those rights when an employee leaves the company or moves to another role does not appear to be a top priority.
"However, it is in these two areas - an employee leaving a company, or changing roles - where security is threatened. The risk presented by a disgruntled ex-employee with access rights is great".