Internal policies the weak link in the online banking security chain

John Lauderdale, senior manager of global risk management at PricewaterhouseCoopers, talks on security issues.

Banks have always been about security - people putting their money in a trusted environment where it will be protected. These days security has expanded beyond the physical devices of time delay, locks and bulletproof glass to keep pace with banks' place at the forefront of technology. But according to John Lauderdale of PricewaterhouseCoopers, technology alone, no matter how complex the encryption of transactions, is not enough to guarantee the security of people's money and banks' reputations.

Q. What are some of  the major issues that banks are dealing with in regard to security?

A. Well, there are worries over compromising of security, but the real concern is the legality of it. There are all sorts of legal issues relating to the Electronic Transaction Ordinance (ETO) here in Hong Kong, for example. Certain types of transactions would be considered legal if it's done using, say, digital signatures and certificates, and those are issued by a recognized certification authority. In some cases, it's less of a technical security issue and more of a legal security issue. Moving forward it's going to be the legal requirements that are pushing the issues.

Q. What about keeping up with the latest technology in the security area, such as encryption strengths?

A. My general view is that people often make too big a deal about encryption strength and the security of the communication channel. From a risk perspective, there's a much bigger risk that a bank's employees will compromise the security of the systems or launch an internal attack. Or there's a much bigger risk that a bank customer's computer will be compromised through the use of a Trojan Horse, or something else. In my view, those are the real risk issues. Someone wanting to get in would go for the easy things first - if I were to attempt it I would try talking someone out of their password or PIN or any number of other things before I even thought of trying to decrypt SSL - even 40 bit.

Another aspect that people tend to overlook is operational issues. That is the redundancy built into a system - what happens when the system goes down.

Q. It's commonly accepted that 80% of all security breaches come from inside a company. But recent reports have claimed that the majority of successful security breaches now originate from outside the enterprise. What's your opinion on this?

A. Personally I'd be a bit sceptical about that. But generally, although companies are hesitant to report any kind of security breach, they're faster to report an external security breach than they would be an internal one.

While most companies are very keen to make sure their firewalls are secure, and generally the systems in the DMZ [derived from the military term 'demilitarized zone', where front ends and content servers are placed] and systems accessible to the internet, companies want to focus on those. The systems on their internal network they don't put nearly as much emphasis on.

Q. So what are the main key points you make when you go into a bank and find weak internal security in terms of infrastructure and company culture?

A. I guess the big things are more traditional, like having a security policy in place, and that policy would identify things such as roles and responsibilities. It needs to demonstrate senior management support, it needs to identify key areas that people need to focus on. In addition to that, there's the security awareness program to increase awareness of the policy and make sure the expectations for following security rules are known.

For external security, if a company has set up an e-commerce site for example, the issues there would be checking that the security of the site has been tested and reviewed. That's quite important. Making sure that, with the firewall, security features have indeed been enabled and if there's some kind of intrusion, a detection system making sure that the monitoring process is in place. Without any one of those you can't have an effective security program.

Q. Do you find that management in some places don't really want to get involved with security issues and would rather leave it all to the 'techie' people?

A. There are two ways to answer this. With bank's own internal systems I think things there have always been more lax than they should be and it continues to be that way. With regard to the work we've done reviewing companies' internet banking systems, in particular, we find that generally things there are pretty good. Although there are always some policies missing and services running that shouldn't be. We come up with a lot of recommendations, but they're fairly minor. I would say that for the banks that are getting into e-commerce, in general, they are pretty keen to make sure that their systems are secure and there are two reasons for that. One is to do with management comfort level, because the management of the bank wants to know that indeed their systems are secure. The second is because they know they need to satisfy the requirements of the banking regulator.

Q. What is the most common minor recommendation that you make?

A. There are all sorts of policies that really should be developed, but often policy is put off until right at the very end. Banks know they need to satisfy particular regulatory requirements, so they're keen to get everything in place. Then they'd call in an independent third party, such as PricewaterhouseCoopers, to review the security of their systems and make recommendations on how that can be improved.

So when we conduct a review, we consider first of all whether the system as it's been implemented is in line with best practice. Secondly, we consider whether or not it's in line with the regulatory requirements.

Share our publication on social media
Share our publication on social media