There are many people who dont worry about reputations or bad publicity as long as their name is spelled correctlybut those people certainly dont work in the financial services industry. Reputation is a key component to a successful financial services business, so companies arent likely to issue a press release when someone successfully attacks their network or Web site.
Several factors explain why companies fail to report such attacks, says Bill Barrett, partner and leader of the technology and security risk services practice for the New York financial services office of Ernst & Young. In the Global Information Security 2003 report conducted by E&Y, respondents assert negative publicity and damage to brand or reputation are the biggest reasons causing financial services companies to keep their mouths shut. One of the biggest factors is concern over reputation and the impact to the trust that financial services and insurance companies deal with, says Barrett. As a result, they are reluctant to let the public know about instances.
One day, he believes, companies will be forced to report such attacks. A California law states if there is a breach of confidentiality, the companies have to report that breach to the individual. Organizations would like to keep much of this quiet, but I think theres going to be increased pressure certainly to notify customers or clients in the event something were to happen that would breach peoples accounts, says Barrett.
Respondents to the survey are overwhelmingly in favor of separating security-assessment firms from vendors. Eighty-eight percent believe this is a best practice. Its important to separate these and have some independence, says Barrett. If you are using a product and a specific vendor to do your assessment work, the chances are you are going to get recommendations as to their product suite, as opposed to having a more independent assessment of what are truly the best products in the marketplace.
Many financial services companies are reluctant to spend money on independent assessments, despite the fact there is a growing need to have an independent assessment performed on various aspects of the companys environment relative to information security, says Barrett.
The survey rates the insurance industry on the low end of the scale when it comes to doing the best job of information security protection. Banking comes in on top at 44 percent, with financial next at 22 percent. Insurance yields a lowly two percent. Barrett believes one of the factors in this disparity is banks historically have had greater regulatory control than insurers. I also think when insurance companies looked at the information and assets they were protecting, perhaps they didnt see quite as much risk as what a bank would see, says Barrett.
That is changing as insurers expand into other financial services areas. There clearly is a need to get greater information security in place, he says.
Even for those that have made the investment, according to Barrett, spending money and spending it wisely are not always the same thing. We need to get people into the information security space who are thinking like business people to identify the risk within an organization, prioritize those risks, and implement changes, whether it is in technology or processes, he says. With some organizations its not a matter of spending more money, its more a matter of making sure they are prioritizing how they are spending that money in the different areas of security. ROBERT REGIS HYLE
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.