Friday, April 24, 2009

RSA Conference 2009: Bank InfoSecurity Issues Its 2009 Survey Results -- Lessons Learned or Unlearned?

RSA Conference 2009, Friday, 4/24/09

Bank InfoSecurity conducts an annual survey. The respondents are largely senior management in the banks and credit unions. The results of this survey are always of interest, particularly this year.

In presenting the 2009 survey results for the first time, this morning, Tom Field, Editorial Director for the Information Security Media Group, which publishes Bank InfoSecurity, began by painting the grim backdrop --

Bear Stearns, Washington Mutual and Merrill Lynch are gone.

The Dow Jones average has dropped below 7K.

In 2007, there were only five financial institution failures in the US. In 2008, there were 40 in the US. But in 2009, as I write this in the first month of the second quarter, there have already been 27.

The Heartland case, on the heels of the TJX and Hannadford cases, has made an impression the collective psyche.

So has the Bernie Madoff case, perhaps the biggest fraud in history.

Yes, hard times have come, along with a new administration in Washington, D.C. (one inclined to refine and revive regulation).

So what does Bank InfoSecurity's survey indicate:

Here are a few of the important data points that Field touched on in his presentation:

Respondents are reporting reduced budgets, reduced staff and reduced resources. But they are also reporting increased attacks, insider risks and an increased need to outsource.

57% of respondent reported budgets being level-funded (i.e., "frozen)
26% reported the biggest impact of the economic conditions as reduced budget
19% reported increeased phishing
18% reported increased attacks

In other words, in the wake of what Field characterized as an "Economic Tsunami," I would suggest that the sharks shown up and cholera has broken out.

When asked what security concerns would likely to be the main focus in 2009:

28% said risks associated w/ third-party service providers
22% said mobile users devices
18% said insider fraud

It was also fascinating to hear the financial sector spin on the aftermath of Heartland.

According to Field, "institutions no longer willing to silently replace cards every time someone else’s system gets breached." He quoted one $275 million institution that had one thousand credit cards on the list, calling for all of the US financial institutions in this country to get together and say, "Not on our time, not on our dime."

What has been impact of Heartland-type data breaches?

29% reported financial impact
20% reported productivity loss

But when asked what their institutions intend to do to help prevent these breaches, the significant data points were curious to me --

34% said "educate customers"
29% said "join industry group"
20% said "lobby lawmakers"

From a security perspective, these three actions are not going to make a significant impact on risks issuing from third-party service providers. These actions look more like a public relations efforts, and a cover your rear effort.

In regard to the issue of vendor management, i.e., overseeing those third-party service providers, the numbers are also not reassuring:

When asked if they require that an independent third party assess your vendor’s security controls, only 36% said yes, and 15% said no, while another 38% said that they did so but only in regard to some vendors.

That is not good enough. That is the data point that should be moving upward fast.

But then again, those who know point their fingers at the third-party service providers that they have outsourced to are the same people who blew off security professionals who raise serious concerns about the blind drive toward outsourcing in the beginning.

The push back then was that security was not going to be compromised, and that there would be contractual safeguards in place. Yada yada yada.

But, of course, that is a little too much context in a sector that only hears what it wants to hear.

Looking forward, Field identified mobile banking as a key initiative being funded, and a critical one in the hunt for younger customers.

When asked if they will be offering mobile banking in 2009?
35% reported yes
5% reported maybe

It should be another interesting year, in more ways than one.

The full survey will be available from Bank Info Security soon, and I recommend it to you. Lots of food for thought

-- Richard Power