Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

December 8, 2014

How do you balance online security with customers' web access needs?

Chuck Bauer of Middlesex Savings Bank: "The chief weapon (of hackers) is the phishing, where criminals will attempt to get passwords and account information through texts and emails."
David DeWitt of Digital Credit Union: "Consumers are becoming more savvy but they are still the biggest weakness."

In the last year, data from 96 million credit cards were exposed during breaches at Home Depot and Target. The online security of the U.S. State Department, the White House and other government agencies are constantly being probed. Meanwhile, the U.S. energy grid was attacked 79 times.

Reported cybercrimes are rampant and seemingly growing in numbers, and those are only the publicized breaches. Cyberdefenses of businesses across the country are being tested daily by individual criminals as well as nation-states looking for trade secrets.

“Hardly a week is going to go by where there isn't a breach, whether it is announced or not,” Aaron Portnoy, a graduate of the Massachusetts Academy of Math and Science in Worcester and an international expert on hacking, said during a session with representatives of the media last month, just prior to delivering a speech before the Worcester Economic Club. “They have been going on for at least the last 10 years.”

Some have described the inner workings of the Internet as a war zone with a myriad of secrets that are there for the taking by various groups with the right tools. Portnoy views it as a playground where his company, Exodus Intelligence of Austin, Texas, mines computer programs for weaknesses that would allow people to gain access to private information. He sells these for a pretty penny – many of them to different government agencies and companies. If this sounds scary, remember that he's one of the good guys who works under various ethical and security-minded guidelines.

“Every year I get that voice in the back of my head that they are going to solve security and I am going to be out of a job,” Portnoy said during his speech. “But that hasn't happened yet.”

Protecting the bank vaults

In response to this ever-shifting landscape of security, banks and other institutions must continue to shore up their defenses against breaches that would access money or intellectual property, he said.

While many institutions and organizations, such as defense contractors, can have extremely strong but restrictive defenses, banks must balance the risk with maintaining Web access for their customers, said David DeWitt, vice president of risk management at Digital Credit Union.

Financial institutions are some of the most highly regulated industries, having had federal mandates for cyber defenses for more than 10 years. The Federal Financial Institutions Examination Council (FFIEC), a government agency that prescribes uniform principles for all federally supervised financial institutions, has placed guidelines on the types of defenses banks must have based on their risk exposure. However, with the increase in online banking, most banks and credit unions have similar levels of security that they need to meet, DeWitt said.

Even the most secure industry has its weaknesses, though, and often those are the clients and members of the banks and credit unions, DeWitt added. The banks can have the most secure sites possible, but as long as their members are targeted, there will be vulnerabilities.

“Typically, users are the weak point. That is the area that the fraudsters or hackers are targeting,” DeWitt said. “Training and awareness (are big parts) of our security culture … Consumers are becoming more savvy but they are still the biggest weakness.”

The chief weapon is the phishing scams, where criminals will attempt to get passwords and account information through texts and emails. Part of ensuring secure banking involves outreach to customers. Keeping their computers secure from malware and viruses helps keep the whole security system functioning, said Chuck Bauer, executive vice president and chief technology officer for Middlesex Savings Bank.

Communication with customers helps

This outreach comes down to solid communication through online messages when customers log in to their accounts, he said, to warn of the newest or ongoing scams. That's working, since fewer people are giving out their information to scammers. However, DCU customers continue to report information-gathering attempts to the credit union, DeWitt said.

Banks can continue outreach and fortifying their defenses, but there will always be an inherent, and changing, risk when banking online, said Bauer. As more customers move to mobile applications that have more control over accounts, there will be more scammers and hackers focusing on them, he added. That's why Middlesex employs both an internal team as well as external contractors who run different levels of security programs to provide a layered defense, according to Bauer.

“There are risks associated with those levels of convenience. That landscape keeps changing and it changes as our delivery services change,” said Bauer, who explained that upwards of 45 percent of Middlesex's customers bank online. “There's not just one single method that you can employ that is going to say 'Now I am secure.' There (is) multiple layered security provided by multiple sources.”

Professor lauds bank security

Overall, however, the banking industry is one of the most secure, said Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute. Security is all about gauging risk and the potential cost of a break-in, she said. This is why homes don't have heavy-duty locks, she said, but they might if there was something of high value inside. Banks, because they're dealing with money that's easily quantified when lost, can easily calculate their risk-to-cost ratio and respond appropriately.

“The banks are very good at doing the calculations about risk because the product is money, so it is very easy to measure,” Landau said. “The loss in other places is harder to measure and that is where we don't have as good cybersecurity as we should.”

There are other industries, such as the power network and those dealing in proprietary information, that cannot as easily calculate what the cost of a breach will be, she said. This is something each company must calculate. There are consultants who will not only test systems, but help evaluate security needs and put the necessary security in place, said Portnoy.

While the risk may be small for most companies, any company that does not have a point person for cybersecurity is behind the times.

“Most people learn, once they get breached once, that they should do something about it,” Portnoy said prior to his speech last month.

Sign up for Enews

WBJ Web Partners

Related Content

0 Comments

Order a PDF