The Internet is a vast, sophisticated data highway, moving enormous amounts of information every second. Yet security on that highway is, at best,suspect. Banks using the Internet are advised not to look to "the authorities" for help; instead, they must provide their own private security. Today, every business enterprise has opened its information systems up to the Internet to communicate and to conduct commerce. With this kind of "open door" for hackers and other Internet vandals, your financial institution must have a strategic security plan to safeguard its business-critical information.
Indeed, many companies have already been "hacked" through coordinated, disabling attacks on Web sites and intrusions into company computer systems. For example, in "denial of service" (DOS) attacks, Web sites were bombarded and temporarily disabled by an overwhelming number of information requests. Meanwhile, viruses such as the ILOVEYOU bug have caused major damage to corporate computer systems and paralyzed e-mail systems around the world.
While these Internet attacks have generated a lot of publicity, traditional "hacking," where an individual gains access to a company's files and applications, may be more dangerous for many small to mid-sized banks. For example, at one company a hacker broke into a server and deleted a large number of Excel spreadsheets being used as an audit trail for the company's QS9000 quality certification. While there was no disruption of service, the company had to spend months recreating audit trails from scratch. If this company had the information backed up properly, they could have retrieved it almost instantly. But like many companies, they never really tested their back-up processes and therefore paid a huge penalty.
Do you have a security strategy?
Every company should have an IS security strategy that includes complete information system documentation; a detailed plan for information storage; and a strategy to recover quickly from an attack. The key to recovery is having backed up copies of mission critical information.
It's not just hackers that can damage information systems. In another case, our company was contracted to analyze key computer systems at a major manufacturer. Just prior to our arrival, an on-site employee had removed a great deal of the supporting documentation we needed. We had to spend an enormous amount of time analyzing the systems environment and re-documenting the missing information.
A comprehensive security strategy begins with a thorough inventory of a company's key databases and operating programs. Such a strategy should recognize that security is not just an IT problem-it affects all parts of a banking organization. A systems and program inventory should be a collaborative effort involving every department.
While the documentation process can be handled internally, it may make more sense to hire an outside consultant to lead the effort. A good consultant has performed numerous security audits and knows what to look for. Also, the consultant can be an unbiased observer and won't take any systems for granted.
Once the discovery process is complete and the systems inventory is catalogued, it should be maintained in a spreadsheet or, preferably, in a dedicated database that is Web accessible. At this point, individual components must be evaluated for their level of security risk.
At this stage, banks should define their security policies. On example would be what to do in the case of a security breach, such as retrieving back-up tapes and re-starting the system. The company may want to set up a security "SWAT" team that goes into action following an attack.
After a thorough review, banks may need to upgrade their operating systems, firewalls, authentication products and encryption products.
Many businesses wait for a crisis to develop before upgrading security. But this "close the barn door after the horse is gone" approach to IS security won't work. Financial institutions must not only know what information they have, but where to find it when it turns up missing.
John Sheaffer is president of Oak Brook, Ill.-based Sysix Technologies, which provides rapid value IT business solutions. For more information, visit: www.sysix.com.
This guest column, a regular feature in Bank Systems & Technology, allows industry executives and experts to discuss a key bank technology topic. If you would like to contribute, please send requests by e-mail to Steven Marlin, BS&T executive editor, at [email protected]