According to a survey conducted by Fierce-Wireless-Bluefire Wireless Security this year, more than 80% of financial services respondents say their organization's use of handheld devices had increased over the past two years. Meanwhile, 87% say they are concerned about the security of e-mail access to corporate server-based accounts and of remote access to corporate networks, and 85% say that access to Web-based e-mail had become a significant security concern.
As to specific wireless security concerns, more than 60% say their top-ranked worries are viruses or attacks on the corporate network, and the security of data during transmission over wireless or cellular networks. Loss or theft of wireless devices ranked third, with about 50% of financial services executives indicating a concern, despite recent high-profile cases of lost laptops with sensitive customer data.
"A year ago, the chief security concerns revolved around the potential loss or theft of smart phones and wireless devices, but the results of the [survey] clearly paint a very different ... story," says Mark Komisky, CEO of Bluefire Security. "As enterprises increasingly are using wireless devices to create and transmit new data and to access the most sensitive information sitting on their corporate servers, the risks are much greater."
Analysts agree that the mobile device security challenge is a formidable one, and that many institutions have a long way to go.
Bob Egan, director of emerging technologies at TowerGroup, says that "in general, the industry is backward from where it needs to go. Throughout the financial services industry, executives are stepping back into the future, acting as if mobile device access is an extension to their existing remote access policies (e.g. working from a home office PC). But smart phones and PDAs offer significant new variables on a number of fronts," given their ubiquity, storage capacity and ability to tap the Web.
"It's a bit of a scary world," says Bill Clark, a research vice president at Gartner. "There's not much you have to do to take a PDA or smart phone for personal use and sync it up with a network. There are tens of millions of unprotected mobile devices out there."
Brian Mitchell, vice president of technology controls for the investment bank at JPMorgan, says that mobile devices pose two broad challenges. The first is that, by nature, the enterprise does not have physical control of the devices as with PCs, making it a challenge to check and update configurations and software. "In the field, anything can happen, through loss, theft or the employee making changes," he says.
The second challenge, Mitchell says, is the employee's relationship with the device. Even if the bank owns the device, employees tend to take a more personal ownership of their phone, PDA or laptop than their office PC, "and so they may choose do things with the device that they wouldn't do with a desktop PC, such as downloading software [which can harbor viruses or malware]. Since it's not always connected to the network, our control over it is limited."
Given this, it's probably not surprising that about half of banks "have been hesitant to implement wireless support-given their conservative nature," says Jacob Jegher, a senior analyst with Celent.
Take for instance Julie McLacken, IT security officer at First American Bank/Alabama National, who says simply, "we haven't opened up that can of worms." And Kirk Drake, vice president of technology at NIH Federal Credit Union, says that the bank permits wireless access on-site to the Internet, but it does not allow wireless access to the corporate network. "I don't think the risk/reward is anything we'll want to mess with anytime soon," he says. "Wireless devices on the network just invite more regulatory scrutiny around security." Both FIs use PortAuthority to monitor wireline data-leak prevention.
But barring mobile access is untenable in the long term, says Jegher, who opines that "in a couple of years, banks won't have a choice-that'll be the trend over the next five years. You'll need a wireless policy in place. Eventually mobile- device security will catch up with you and you'll have to integrate it. It'll become part of your life." Komisky says a bank client with 250,000 employees has recently gone through this evolution, at first wanting to prevent any wireless access to the network, Now, however, it's opening its corporate e-mail to wireless devices.
Still, Drake's concern about drawing unwanted regulatory scrutiny is well taken. Richard Gibbons, a former SEC/NYSE regulator now with QUMAS, a compliance-solution vendor, says the SEC is clearly watching wireless communications in the financial services industry intently, on guard that institutions do not permit the kind of loose information and disinformation that would have a deleterious impact on the integrity of the industry and the welfare of investors.
Adds Gibbons, "It's a daunting task and a big issue for financial institutions," particularly in material misstatements and omissions of facts when dealing with retail customers. "You can't be with employees all the time, so you have to train them and hope they do the right thing all the time," he says.
The task is complicated by the SEC disinclination to get too specific when it comes to framing misbehavior and solutions. "Regulators do tend to be less than forthcoming," says Gibbons. "We used to have a saying, 'The more you endorse, the less you can enforce.' But it behooves you to have rigorous policies and procedures in place, since regulators will cite control weaknesses with the same vehemence as actual violations."
In other words the security around mobile devices is not just a competitive issue - i.e., not wanting to lose data to competitors, malicious insiders or hackers; it's also a compliance issue, since mobile devices constitute a communication between financial institutions and their partners and customers. Despite the significance of the problem, analysts also say it's not surprising that many IT groups are just getting around to addressing it. "With all the compliance issues and investment IT has made in having a customer view, they haven't really approached the problem of the laptop, except to say, 'I'm going to encrypt it,'" says Egan.
POSSIBLE SOLUTIONS
So what are some of the possible solutions? And what's wrong with simply encrypting data on laptops? As Adrian Lane, CTO of IPLocks, a database security vendor, puts it: "The number of ways for information to leave an organization is mind-boggling-there's almost no way to combat it. But the data has no value if it can't be accessed."
There's no question that encryption can be a good way to protect data, but it can make it very difficult to use the data quickly and efficiently by authorized users. The main problem, analysts say, is that encryption relies on the user having a keycard at the ready, which can be lost, and encryption can make it awkward and time consuming to access discrete pieces of data in a very large database. For instance, a mobile worker in a bank's investment arm might just need three or four data points on a particular company to execute a trade in hurry. The need to download and unencrypt a large data base would slow down the process and could result in lost business.
Banks that are committed to mobile access for their workers are turning to virtual private networks (VPNs) that encrypt the whole session. While there are split and non-split VPNs, most banks, including JPMorgan, choose non-split VPNs to prevent an open channel between the corporate network and the wider Internet. What's more, VPNs can scan the device for trouble each time it hooks to the VPN, in case the employee has downloaded malware from the Internet. "The moment someone connects to the VPN we can scan for spyware," says Mitchell. "We can automatically do a push to the devices, and disable the VPN if we need to. Our VPN does not allow general connectivity to the Internet when connected to the corporate network [i.e. no split tunnel configuration]. So even if someone is connected from a public WiFi, the connection is protected through host-based firewalls and the VPN tunnel."
With all these measures-hard disk encryption, host-based firewalls, spyware and virus detection and protection, no split-tunnel VPNs-"We have done everything to reduce and all but eliminate the risk of inappropriate data disclosure," he says. "But nothing is 100%. The key thing would be to have better security out of the box, so we don't always have to issue patches. That would be nirvana."
As important as encryption and VPNs are, analysts argue that many financial institutions still need a new mindset on mobile security. According to Egan, financial institutions have three main challenges: realizing that old policies and technologies on remote access to the network are not sufficient for mobile devices; understanding that the mobility of data-data in motion vs. data at rest-means the perimeter is no longer the device, but the data itself; and putting procedures in place that inspect and protect institutional data.
Institutions should be thinking less about locks and keys and more about information mobility when devising these procedures, Egan says. "Bigger and better locks seem to energize bigger and better lock pickers."
Instead, he says, institutions should be thinking in terms of: Where is the data, who should have it and for how long?
For example, a bank might grant access to certain customer accounts for a specific amount of time. Or it might have procedures that respond when a teller, who usually accesses five or six accounts a day, suddenly accesses 100.
The problem with such holistic mobile device security solutions espoused by Egan and others is they require a clear view of all employees and their mobile devices, as well as where the network can be accessed. Most institutions simply do not have that level of organization. Analysts say that a safeguard as basic as turning off unused USB ports so that they are not surreptitiously accessed is beyond the capabilities of most organizations.
It's these rogue access points and the fact that companies are not aware of all of them and cannot detect them that is the big problem, says Johannes Ullrich, CTO for the Internet Storm Center, which is affiliated with SANS. Besides turning off these unused USB ports and jacks if possible. Another strategy is installing wireless sniffers to see if someone is infiltrating the network. The trouble with this technology, particularly in high-density office buildings, is distinguishing between different companies' networks.
Even if a financial institution goes as far as to choose a mobile-security software solution and mandate that it be present on a mobile device to dock with a laptop or touch the corporate network, there are so many different kinds of mobile devices that it's difficult to track which employee has what. Yet to create a foolproof system a company would need to account for each device.
"The biggest challenge for banks is each system-a laptop, Blackberry, etc.-is different," say Murray Mazer, co-founder of Lumigent, a database security vendor.
Adding yet another challenge for even the best organized financial institutions is the sheer volume of mobile access to track and change as people change jobs-not to mention the cost. Lumigent, which it says works with three of the country's five top commercial banks, says that one of those banks manages 30,000 account changes per year at an average cost of $200 to $300 to reset each account. That's $6 million to $9 million per year. "Some of our clients say they are six months behind," says Mazer. It's no wonder, he says, that "managing user access for transitional users is one of the top IT weaknesses that people are being written up for by auditors and regulators."
This article originally was published in Bank Technology News, a SourceMedia publication. The article has been edited for INN.
Lost Laptop = Exposed Insurance Data
A costly, headline-making breach of customer data can begin with the seemingly inconsequential act of misplacing a company smart phone, personal digital assistant or laptop computer.
In fact, insurance carriers say thieves now appear more likely to commit identity theft with information gleaned from lost or purloined mobile electronic devices than by hacking into a company's wireless networking system. That opinion may not jibe with the survey of financial institutions reported on page 6 of this issue of INN but does indicate deep concern about loss or theft.
All it takes is a moment of human frailty, warns Tom Miele, CISSP, director of information security, Penn National Insurance Co., Harrisburg. Pa.
"An executive can be in an airport, set down a hand-held for a minute and somebody can grab it," Miele says.
Even cautious users of mobile devices can fall victim to thievery, notes Jack Gold, president of J.Gold Associates, a Northborough, Mass.-based consultant and analyst.
"What happens if I'm an adjuster and I stop at Denny's for lunch and somebody breaks into my car and steals my laptop?" Gold asks rhetorically.
The problem has proved worrisome enough that senior executives at a recent meeting cited loss of mobile devices as a key issue, according to Cindy Saccocia, a research director for TowerGroup, a Needham, Mass., consulting and research firm.
In fact, about 40% of data breaches begin with the theft or loss of a notebook computer, says John Livingston, CEO of Absolute Software, a provider of laptop theft-tracking software that's based in Vancouver, British Columbia, and has U.S. headquarters in Seattle. Others in the insurance business place the percentage higher but did not give an exact figure.
Citing estimates from a number of sources, Livingston says between 600,000 and 2 million computers go missing annually in the United States.
Many of those laptops, as well as other missing devices, hold thousands of names and addresses with accompanying social security numbers, health records and other personal information that criminals could use fraudulently, Saccocia notes.
"You could have phone numbers in voice mobile phones, client information on your handheld-because you're doing contact information-and then on your laptop you could have pertinent client information if you're an adjuster or an agent or somebody in the field," she says.
If the thief succeeds in retrieving customer data from the stolen device, the insurer faces the specter of widespread abuse. Even if the would-be fraudster doesn't manage to steal the information, rules in some states (see "Regulatory Requirements May Change in Data Breach Reporting," p. 14) require the insurer to notify possible victims-a process experts say can prove costly.
Gold cites the example of a security breach at a major insurance company that compromised the information of 200,000 customers. Notifying the victims cost about $35 each, he says, because the company had to determine who should receive notification, formulate a notification letter, print the document, send it by Federal Express and monitor the whole process. Gold notes that the total cost of notification came to $7 million.
Regulations also can compel companies that lose data to pay for a year's credit monitoring for each customer involved, says Gold. Then there's the defection of customers and erosion of good will, he notes.
To guard against those repercussions, Penn National encrypts information and requires users to wade through five rounds of authentication, Miele says. He characterizes a thief's chances of breaking through those security measures as "one in about 25 million years."
Just the same, the company paid extra for hand-held devices with a feature that allows management to send a signal that instantaneously kills all the data on a machine that's been reporting missing. The task then becomes to persuade users to call immediately if a machine goes missing, says Miele.
Penn National plans to deploy the "kill" capability to tablets and laptops soon, Miele says.
The "kill" feature can come as part of a suite of mobile security software that headquarters can use to monitor and back up all of a company's far flung computer, says Gold.
That sort of protection and insight into how the computers are used can set a company back by $100 to $150 per remote machine, a cost Gold says he considers modest in view of the possible consequences.
Still, only about 10% of all companies have taken the step, he estimates, because of cost, inertia or concentration on matters that seem more immediate.
Absolute Software got its start 12 years ago by putting sticky software on the hard drives of customers' computers. Today, computer suppliers ship their wares with the capability already on the machine and ready for Absolute to activate. The software tracks data on the computers and can also wipe them clean of information.
Moreover, the software is programmed to act as a homing beacon, signaling the machine's whereabouts to a data center, says Absolute's Livingston. An Absolute team of 12 former law enforcement officials then swings into action with local police and the appropriate judges to get search warrants, secure subpoenas, retrieve the laptop and bring the thief to justice. The company claims to have recovered about 1,000 laptops last year.
The best line of defense, however, is convincing employees to look after company-issued mobile devices, says Saccocia of TowerGroup. Users need to refrain from leaving a BlackBerry on the seat of a cab or walking away from a laptop they were using in the departure lounge, she says.
When it comes to preventing that sort of carelessness, the IT staff can find itself powerless. "They cannot put controls in for common sense," notes Saccocia.
Chronology of Data Breaches
DATE MADE PUBLIC: Late Dec.
NAME(Location): Ameriprise
TYPE OF BREACH: Stolen laptop containing names and Social Security numbers and in some cases, Ameriprise account information.
NUMBER OF RECORDS: Unknown
DATE MADE PUBLIC: March 23, 2006
NAME(Location): Fidelity Investments (Boston)
TYPE OF BREACH: Stolen laptop containing names, addresses, birth dates, Social Security numbers and other information of 196,000 Hewlett Packard, Compaq and DEC retirement account customers was stolen.
NUMBER OF RECORDS: 196,000
DATE MADE PUBLIC: April 26, 2006
NAME(Location): Aetna-health insurance records for employees of 2 members, including Omni Hotels and the Dept. of Defense NAF (Hartford, Conn.)
TYPE OF BREACH: Laptop containing personal information including names, addresses and Social Security numbers of Dept. of Defense (35,253) And Omni Hotel employees (3,000) was stolen from an Aetna employee's car.
NUMBER OF RECORDS: 38,000
DATE MADE PUBLIC: June 2, 2006
NAME(Location): Buckeye Community Health Plan (Columbus, Ohio)
TYPE OF BREACH: Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider.
NUMBER OF RECORDS: 72,000
DATE MADE PUBLIC: June 16, 2006
NAME(Location): ING (Miami)
TYPE OF BREACH: Two ING laptops that carried sensitive data affecting of Jackson Health System hospital workers were stolen in December 2005. The computers, belonging to financial services provider ING, contained information gathered during a voluntary life insurance enrollment drive in December and included names, birth dates and Social Security numbers.
NUMBER OF RECORDS: 8,500
DATE MADE PUBLIC: June 17, 2006
NAME(Location): ING (Washington, D.C.)
TYPE OF BREACH: Laptop stolen from employee's home containing retirement plan information including Social Security numbers of D.C. city employees.
NUMBER OF RECORDS: 13,000
DATE MADE PUBLIC: July 18, 2006
NAME(Location): CS Stars, subsidiary of insurance company Marsh Inc. (Chicago)
TYPE OF BREACH: On May 9, CS Stars lost track of a personal computer containing records of more than a half million New Yorker who made claims to a special workers' comp fund. The lost data includes SSNs and date of birth but apparently no medical information. UPDATE (7/26/06): Computer was recovered.
NUMBER OF RECORDS: 540,000
DATE MADE PUBLIC: July 25, 2006
NAME(Location): Old Mutual Capital Inc., subsidiary of United Kingdom-based financial services firm Old Mutual PLC
TYPE OF BREACH: Laptop was stolen sometime in May containing personal information of U.S. clients, including names, addresses, account numbers and some SSNs.
NUMBER OF RECORDS: 6,500 fund shareholders
DATE MADE PUBLIC: July 27, 2006
NAME(Location): Kaiser Permanente Northern Calif. Office (Oakland, Calif.)
TYPE OF BREACH: A laptop was stolen containing names, phone numbers, and the Kaiser number for each HMO member. The data file did not include SSNs. The data was being used to market Hearing Aid Services to Health Plan members.
NUMBER OF RECORDS: 160,000 records
DATE MADE PUBLIC: Aug. 22, 2006
NAME(Location): AFLAC American Family Life Assurance Co. (Greenville, S.C.)
TYPE OF BREACH: A laptop containing customers' personal information was stolen from an agent's car. It contained names, addresses, SSNs, and birth dates of 612 policyholders. They were notified Aug. 11.
NUMBER OF RECORDS: 612 policyholders
DATE MADE PUBLIC: Sept. 2, 2006
NAME(Location): Lloyd's of London (Port St. Lucie, Fla.)
TYPE OF BREACH: A thief reprogrammed more than 150 Lloyd's of London credit card numbers onto phone cards and used them to withdraw money from an ATM in Port St. Lucie, FL (stealing more than $20,000 over 3 days). Key personal and financial information had been skimmed from the magnetic strip on the victims' cards.
NUMBER OF RECORDS: Unknown
DATE MADE PUBLIC: Sept. 13, 2006
NAME(Location): American Family Insurance (Madison, Wis.)
TYPE OF BREACH: The office of an insurance agent was broken into and robbed. Among the items stolen was a laptop with customers' names, SSNs, and driver's license numbers.
NUMBER OF RECORDS: 2,089 customers
Source: See editor's note
Editors note: The information presented on in sidebar "Chronology of Data Breaches" was gleaned from the Privacy Rights Clearinghouse, a San Diego nonprofit consumer education and advocacy organization. Every effort was made to ensure accuracy of reporting. For updates to particular incidents, visit www.privacyrights.org.
--Ed McKinley
