IT Security News and Opinion
Thursday May 23rd 2013
Auto Discovery Webinar

Where’s the Trust – Is Small Banking More Secure?

Add Bank of America to the list of large banks whose customers have fallen victim to insider threats.

As you’re probably already aware, last week the LA Times reported that a BofA employee leaked hundreds of customers’ confidential account information to scammers, resulting in more than $10 million in losses. A BofA spokesperson said “about 300” customer accounts were compromised in California and other Western states. And surprise – this recurring theft had been continuing for more than a year, according to the same article.

Here’s my perspective. As a developer of privileged identity management software we’ve found that large banks have too little interest in implementing the types of security upgrades that can help protect against these types of insider threats. This is the dirty secret of many large financial institutions: they have far too few controls to protect customers against malicious and negligent insiders. As one executive told me, “If an insider violates our security policy we’ll fire him.  That’s our control.” I suspect that those hundreds of BofA customers who are now piecing their finances back together after this breach are taking little solace in this.

The good news is that in smaller, more agile financial institutions such as credit unions we’ve seen a much faster adoption of security technology to minimize internal threats and provide real accountability.  So what’s deterring larger financial institutions form doing the same? I believe that it’s a combination of old systems, insular big-company cultures, and external compliance auditors with too little training and time. These factors have created an environment where there is little incentive to implement new security technologies and processes inside the largest banks.  These institutions’ top management might see data breaches as an acceptable risk, but for the customers whose finances have been compromised this boardroom calculus has got to hurt.

You may be surprised by how rare it is for insider breaches at large organizations to be publicly revealed, so perhaps BofA will now implement proper controls. Generally in these cases though, nothing changes until federal regulators start to ask bank officials how many times similar incidents have occurred in the past, why the problem has not been fixed and, most importantly, when they plan to fix it.

As I’ve already stated, the technology and controls currently exist to stop this problem, but until regulators step in and force large financial institutions to clean up their act, customers at large banks will continue to be victims of inadequate security.

Did security play a role in your choice of financial institution? Share your thoughts on the blog below. You can also follow us on Twitter: @liebsoft or connect with me via LinkedIn.

FacebookTwitterLinkedInDeliciousTechnorati FavoritesDiggBlogger PostGoogle ReaderShare
Post Published: 06 June 2011
Author: Philip Lieberman
Found in section: Finance, Latest IT News

Tags: , , ,

Previous Topic:
Next Topic:

Leave a Reply


− 2 = two

Follow Us

    Follow us on Twitter            Follow us on LinkedIn

  Visit our YouTube Page              Identity Week RSS Feed
Visit the Lieberman Software Website

Archives

Recent Comments

Tags

Administrator Password Application-to-Application Credentials Application Security Cloud Computing Cloud Security CSO cyber-attacks cyber attack Cyber Security data breach Data Breaches Datacenter Security Data Security default password disaster recovery enterprise security Governance Risk and Compliance hacktivism Identity Management insider threat Insider Threats Internet security IT Audit IT Auditing Compliance Reports IT Marketplace IT Outsourcing IT security IT Security Threats online privacy Password Security PCI-DSS Compliance privileged account credentials privileged account management privileged accounts Privileged Identities privileged identity management regulatory compliance RSA Securing Legacy Applications Security Management SIEM smart card smartphone security stolen credit card Stuxnet