The poor state of security at many financial institutions continues to make headlines, with cases like the HSBC breach bringing embarrassing attention to an already beleaguered industry.
At the core of recent industry data breaches is a fragmented and feudal system of homegrown IT development that has evolved over the last 30 years – though not for the better. Financial institutions are still trying to do things their own way, while IT threats have evolved beyond these organizations’ ability to handle the onslaught from a technical and operational standpoint.
Unfortunately for all of us, most large financial institutions only understand traditional risks – bank robbers, tellers stealing money and customers committing fraud; essentially the same problems that have been present for more than 100 years. But when it comes to cyber security, identity management, and general IT operational weaknesses, the financial industry is mostly still clueless. These IT departments continue to do whatever they wish when it comes to security, irrespective of repeated data losses.
We run into financial companies all the time that refuse to implement sound IT security even after being compromised time and time again. Problems like using commonly known shared passwords, never changing sensitive passwords and allowing employees to have too much access for too long to sensitive data are the rule, rather than the exception.
Securing Financial Data
The solution is simple, but politically and institutionally unacceptable: hire a CSO with enough experience and power to work with the auditors to actually secure their environments and processes. CSOs at these organizations have to stop ignoring poor IT security, obsolete technology and underinvestment in modern identity management and privileged identity management.
Knowing what I know about many of the large financial institutions and how they handle their privileged identities (they ignore the problem), I would never bank or process credit card transactions through them.
Would you like to know the security philosophy we see at many financial IT shops? “Use strong security against the customer, ignore internal threats, and if an internal threat does get discovered (usually by accident), fire the perpetrator and contact law enforcement.” When presented with a proposal to remove the internal threat, it is generally rejected as being too much trouble.
So, stories like HSBC will continue until a new generation of CSOs come into the industry with the mandate and budget to solve the internal threat problem using strong identity and privileged identity management systems. Until then, it will be business as usual and the press will have plenty more attention-grabbing headlines about data breaches at major banking institutions.