IT Security News and Opinion
Wednesday June 19th 2013
Protect Private Data

Financial Data Breaches Come As No Surprise

Data BreachesThe poor state of security at many financial institutions continues to make headlines, with cases like the HSBC breach bringing embarrassing attention to an already beleaguered industry.

At the core of recent industry data breaches is a fragmented and feudal system of homegrown IT development that has evolved over the last 30 years – though not for the better. Financial institutions are still trying to do things their own way, while IT threats have evolved beyond these organizations’ ability to handle the onslaught from a technical and operational standpoint.

Unfortunately for all of us, most large financial institutions only understand traditional risks – bank robbers, tellers stealing money and customers committing fraud; essentially the same problems that have been present for more than 100 years. But when it comes to cyber security, identity management, and general IT operational weaknesses, the financial industry is mostly still clueless. These IT departments continue to do whatever they wish when it comes to security, irrespective of repeated data losses.

We run into financial companies all the time that refuse to implement sound IT security even after being compromised time and time again. Problems like using commonly known shared passwords, never changing sensitive passwords and allowing employees to have too much access for too long to sensitive data are the rule, rather than the exception.

Securing Financial Data

The solution is simple, but politically and institutionally unacceptable: hire a CSO with enough experience and power to work with the auditors to actually secure their environments and processes. CSOs at these organizations have to stop ignoring poor IT security, obsolete technology and underinvestment in modern identity management and privileged identity management.

Knowing what I know about many of the large financial institutions and how they handle their privileged identities (they ignore the problem), I would never bank or process credit card transactions through them.

Would you like to know the security philosophy we see at many financial IT shops? “Use strong security against the customer, ignore internal threats, and if an internal threat does get discovered (usually by accident), fire the perpetrator and contact law enforcement.” When presented with a proposal to remove the internal threat, it is generally rejected as being too much trouble.

So, stories like HSBC will continue until a new generation of CSOs come into the industry with the mandate and budget to solve the internal threat problem using strong identity and privileged identity management systems. Until then, it will be business as usual and the press will have plenty more attention-grabbing headlines about data breaches at major banking institutions.

FacebookTwitterLinkedInDeliciousTechnorati FavoritesDiggBlogger PostGoogle ReaderShare
Post Published: 27 May 2010
Author: Philip Lieberman
Found in section: Emerging Threats, Finance, Latest IT News

Tags: , , ,

Previous Topic:
Next Topic:

Leave a Reply


× 4 = four

Follow Us

    Follow us on Twitter            Follow us on LinkedIn

  Visit our YouTube Page              Identity Week RSS Feed
Visit the Lieberman Software Website

Archives

Recent Comments

Tags

Administrator Password Application-to-Application Credentials Application Security Cloud Computing Cloud Security CSO cyber-attacks cyber attack Cyber Security data breach Data Breaches Datacenter Security Data Security default password disaster recovery enterprise security Governance Risk and Compliance hacktivism Identity Management insider threat Insider Threats Internet security IT Audit IT Auditing Compliance Reports IT Marketplace IT Outsourcing IT security IT Security Threats online privacy Password Security PCI-DSS Compliance privileged account credentials privileged account management privileged accounts Privileged Identities privileged identity management regulatory compliance RSA Securing Legacy Applications Security Management SIEM smart card smartphone security stolen credit card Stuxnet