Top Security Issues in 2008
By: Glen Caspers, Regional Manager - Technology Division
Is your bank ready for technology changes in 2008? A quick search of the Internet reveals many risks and new waves of technology that could affect your institution. The intent of this article is to provide a brief summary of these predictions. Does your strategic plan and risk assessment address any of these items?
Prediction #1 - The Web evolution will continue
The Web of 2007 became more robust and ready for business, becoming host to a variety of new applications and services. This new generation of sites, generally referred to as Web 2.0, act more like traditional PC software. The sites are responsive and fast. That means web browsers will need to work hard while visiting these sites, pulling data to keep the site current. Combined with market incentives to keep pushing out new features to users, the emerging Web will present a dangerous mix of software flaws ripe for hackers to exploit. These Web-based services, including social networks such as MySpace and Facebook, are becoming prime targets for hackers seeking personal information and for using to distribute malware.
It is anticipated that financial institutions will increasingly tap into Web 2.0, including social networking sites like Facebook and MySpace, to connect with young consumers in the ways they connect with each other. Megabank Wells Fargo ($540 billion in assets) created Stagecoach Island, which is an interactive site that promotes social networking and financial education. A well-known security firm is predicting that by 2012, 75 percent of banks will use Web 2.0 and social networking technologies in retail delivery and customer relationships.
Prediction #2 - Virtualization will become more popular
Virtualization is and will continue to be a hot topic. VMware appears to be the market leader.Virtualization refers to the practice of hosting more than one server function on a single host machine. Instead of requiring a separate computer for each server, dozens of virtual servers can coexist on the same computer. In most cases, performance is not affected and each server behaves as if a dedicated machine is hosting it.
Businesses deploying virtualization could see a 40 to 75 percent one-time savings and up to 50 percent in ongoing savings. One organization consolidated 1,000 physical servers into only fifty. Banks that utilize virtualization may also improve business continuity efforts through server redundancy in the virtual server environment. The ability to test new applications and new releases on virtual machines before putting them into production is also a significant advantage. Some sources indicate that many banks will have virtualization in their 2008 plans.
Prediction #3 - Vista will be a catalyst for change in the PC industry
For many years, hardware processing power has exceeded the requirements of operating systems. A reversal of this was seen in 2007 and is expected to continue in 2008 as Vista emerges in the workplace. Vista has hefty hardware requirements, so planning to deploy it on current computers may be unwise. You will want to ensure that 2008 PC purchases are Vista-capable even though you may plan to delay Vista deployment and run XP in the interim. Many businesses have elected not to test and adopt Vista until Service Pack 1 is issued, which will likely be released by the time you read this article. Banks may also need to access their thin-client designs in light of Vista's requirements.
Additionally, Vista and Office 2007 will represent learning curves not seen in recent releases. In particular, Office 2007 will likely require significant training. Banks should be planning for these versions by developing detailed software training and migration plans.
Prediction #4 - Security threats will get personal
Phishing scams and malware will continue to be serious security threats. Cyber criminals are becoming more professional. Attacks are becoming more individualized, focusing on individuals with specific and personal demographic information. Experts say that instead of just credit cards and bank account information, they're going for everything - any and all information that can be used to create an identity. As individuals become savvy to widespread attacks, phishers will target their victims more precisely with highly researched, personal information, known as spearphishing. Also, targeting high-level executives for sensitive company information is referred to as whaling. It is reported that phishing toolkits are becoming more available, making it much easier for cyber predators to engineer their scams. Consumer education and security awareness training will continue to be key factors in mitigating these risks.
Prediction #5 - Use of smartphones will continue to grow
The use of handheld devices such as smartphones in financial entities is reported to have increased substantially over the past year. The ability for staff to work remotely may increase their productivity, but the risk posed by remotely accessing email and bank networks is higher than ever. Also, smartphones that are running operating systems and e-mail applications can be storing valuable data. This makes them very tempting targets. Security researchers have found ways to break into some mobile-phone platforms. To what extent are they vulnerable to hackers, viruses, theft, and insider abuse, and how can a bank manage their security? Banks that allow employees to use these devices to conduct business will have to learn how to secure and support these devices.
Summary
Other topics worthy of mention for 2008 include pandemic planning, hard drive encryption, and VoIP attacks. Pandemic planning should continue through 2008 and will reinforce current business continuity plans by bringing attention to any disaster that may reduce your workforce.
Data loss due to lost notebook computers and other data-storage medium made up 46 percent of all data losses in 2007. When a computer is lost or stolen, encryption becomes a big deal. While VoIP phones may offer low-price long-distance calling and the ability to place calls from a PC, the communications protocol used by many VoIP providers is vulnerable to attacks, and leaves holes that the hackers could use to hide their identities. Also, some Internet phone carriers have not turned on the technology that can encrypt conversations.
