As e-mail usage becomes a standard way of doing business in banking, security issues have become an increasingly complex matter. Financial services firms looking to minimize e-mail security risks need to put a plan into place.
- Samir Kapuria Director of Strategic Solutions, @stake (Cambridge, Mass.)
- Paris Trudeau Senior Product Marketing Manager, SurfControl (Scotts Valley, Calif.)
- Rebecca Eisner Partner, Outsourcing and IT Practice, Mayer, Brown, Rowe & Maw (Chicago)
- Tanya Candia Senior Vice President and Chief Strategist, Sigaba (San Mateo, Calif.)
BS&T: What are the biggest risks banks face in the area of e-mail security? What do they need to do to combat these problems?
Samir Kapuria, @stake: Many financial services firms are challenged in maintaining the three pillars of digital information security: confidentiality, integrity and availability.
The growing reliance on information communication technologies like e-mail or instant messaging results in a dynamic risk profile. These institutions have to manage an array of threats that could result in business impacts, including information leakage (confidentiality), phishing attacks (integrity) and denial-of-service exploits (availability), to mention a few.
Paris Trudeau, SurfControl: Federal regulations such as the Fair Credit Reporting Act (FCRA) and Sarbanes-Oxley have put financial institutions under increased pressure to secure confidential customer information or face legal liability issues and major fines for non-compliance. Banks must put appropriate Internet and e-mail acceptable use policies in place, invest in staff training, and implement security technologies to combat these issues. Content filtering technology is one of the technologies that can enable the intelligent management of customer data and prevent unauthorized or inadvertent disclosures. It can also protect banks from other e-mail content risks such as spam, viruses and productivity losses.
Rebecca Eisner, Mayer, Brown, Rowe & Maw: For inbound e-mails, the risk is largely a technical and security one. Financial institutions must have sufficient safeguards in place to protect their systems, to screen for viruses, to handle attachments, and other similar security measures. For outbound e-mail, the issues are largely ones of regulatory compliance. The new federal e-mail law, called the CAN SPAM Act, impacts the way all businesses, including financial institutions, conduct their marketing and customer relationship programs via e-mail. In addition, regulated institutions such as banks can find themselves on the wrong side of the regulations due to inadvertent but well-meaning e-mail responses to customers.
Tanya Candia, Sigaba: It's hard to overstate the pressure banks face. Privacy is a huge concern, viruses vigorously attack our networks, and regulatory agencies keep ratcheting up compliance requirements. E-mail is now so ubiquitous that it's indispensable. If banks don't take the right steps it's easy for them to lose their most precious resource: customer trust. This is not just a compliance requirement-it's a business issue. And it's why companies should embrace technologies that don't just do one specific job, like Web portal or content-filtering tools, but suit a broader strategic purpose, like secure messaging. This guards against ID theft and other privacy abuses, intellectual property theft, fraud and spoofing cons, spam, viruses and more, for both e-mail and instant messaging.
BS&T: To what extent is e-mail-related compliance a matter of tools and technology and to what extent is it about policy, procedures and training?
Kapuria, @stake: In response to the growing adoption of digital information usage in the financial sector, technology security teams have an additional goal of enabling compliance with privacy regulations. The solutions banks employ to meet these growing requirements must be holistic and include facets of technology, policy, and training.
Technology products offer part of the solution, like antivirus; corporate policies armed with the methods of enforceability can deter employees from using technologies which may bypass corporate control-like Webmail; customer awareness programs can be a strong tool in preventing fraud attacks, which often target a bank's clients (e.g., phishing).
Trudeau, SurfControl: E-mail-related compliance and content security is about policy first and then about adopting the appropriate tools to support that policy. Financial institutions should consider implementing filtering technology that is flexible and customizable to support any policy. A financial organization must also be sure to develop security policies and technology that cover all aspects of the network, including the mobile workforce, instant messaging and Web use.
Candia, Sigaba: Many companies still make the mistake of thinking it is one or the other. Technology without policies can be ineffective; policies without the technology to back them up are usually a waste of time. It is critical for banks to implement technology solutions that serve a strategic purpose. But it's equally important to put in place adequate education and training, and institute policies that ensure compliance with ever-evolving regulations. E-mail is too fundamental to ignore, and not using it can be costly; consider how much mail (billing statements, marketing materials, etc.) every bank sends, as well as the costs and time associated with postal versus electronic delivery for these items alone.
BS&T: Are there any pending challenges-new regulations, looming viruses or other security breaches, greater use of instant messaging-that banks should plan for today?
Kapuria, @stake: An increasing number of financial service firms are pursuing offshore outsourcing initiatives to avail themselves of the cost benefits and growing capabilities overseas. These types of initiatives can change the risk profile of a company as information and control moves from corporate governance to third-party environments. Some important considerations when conducting diligence and acceptance of an offshore initiative must include digital security planning, infrastructure/application assessments and security management evaluation.
Trudeau, SurfControl: Today's increasingly sophisticated blended threats, like the recent MyDoom virus, introduce new transmission risks. That is why it is more important than ever before for financial institutions to increase network security measures. Filtering technology can help banks manage content risks like spam, viruses and instant messaging, as well as demonstrate an organization's attempt to comply with the latest federal regulations.
Eisner, Mayer, Brown, Rowe & Maw: One of the largest challenges-and most difficult to plan for-is the threat of terrorist activities that could cause physical or other damages to financial institution facilities, systems and data. Banks should ensure that they have robust disaster recovery plans. They should update and test those plans on a regular basis. On a different note, new communications technologies will present challenges and opportunities for banks and financial institutions. The next generation of banking customers-those currently in their teens-have embraced mobile text messaging and wireless communications. These channels will become an important part of servicing customers in the future.
Candia, Sigaba: It has proven to be quite a challenge to add security to existing technologies, such as IM; as a result, many banks haven't figured out what to do about it yet. In addition, we can't even imagine how privacy and security breaches might affect organizations and consumers in the years to come. Security threats are becoming ominous, increasing in number, type and sophistication so fast that developers of content, anti-spam and anti-virus tools simply can't keep up.
On the regulatory front, the Gramm-Leach-Bliley Act, SEC, NASD, Sarbanes-Oxley and Basel II can be confusing and are often amended, making compliance even more difficult. Secure messaging isn't the definitive answer, but in this environment, it's the best one.
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio