Going to Extremes to Protect Banking Customer Data

Spokane, Wash.-area bankers say the importance of information security has risen significantly in recent years for several reasons. Among them, online banking has grown in popularity, most records now are transmitted and stored electronically, and the federal and state governments have tightened information-security regulations.

"Certainly in the banking industry, customer tolerance for security breaches is much lower than in other industries, like retail," says Dave Klatt, information technology governance and security manager at Sterling Savings Bank. "Banking is a highly regulated business, and there's a level of importance that gets placed on security for us more so than for other businesses."

Turning Point

While the need for beefed-up information security programs in banking has been growing over time, a seminal moment came in 1999, when the federal government passed the Gramm-Leach Bliley Act (GLBA), bankers say. That law requires financial institutions to implement an information security program that ensures the integrity, security, and confidentiality of customer information, Klatt says.

Bankers say that perhaps the most significant change banks have had to make to their security programs in recent years has been the result of a federal guidance issued in 2001 and updated in 2005 that account fraud and identity theft are frequently the result of a user ID and password authentication exploitation. The guidance said banks that offer Internet-based products and services to their customers should implement multifactor authentication, layered security, or other controls to mitigate those risks.

Multifactor authentication involves requiring an online banking customer to provide more than just a user name and password to access their account, says Nicole Tutt, information security officer at Spokane Teachers Credit Union. Layered security involves combining multiple security products to create a comprehensive barrier against attacks on a network .

STCU, Sterling Savings and AmericanWest Bank say they wrapped up their implementation of multifactor authentication systems for their online banking services within the past year or so.

The Layered Look

STCU, along with other financial institutions here, has opted to create a multifactor authentication system by adding questions customers must answer to access their accounts, Tutt says. STCU and others say their systems also recognize a customer's personal computer for authentication. STCU, Sterling Savings, and AmericanWest all say they now install some sort of encrypted data on customers' computers via the Web to identify them when they try to log on. If a customer isn't using a computer with the encrypted data, they can answer questions from a pool they have helped create.

Sterling Savings and AmericanWest say they also now employ another level of security, called a token-based system, for their big commercial customers. The bank gives customers small, digital devices that display a series of numbers, which change every minute or so, Klatt says. The customer enters that series of numbers during the log-on process to gain access to their account, he says.

Wade Griffith, chief information security officer at AmericanWest, says that while multifactor authentication measures are intended to verify a customer's identity, they also can assure the customer of the bank's identity. When a customer creates an online account with AmericanWest, he or she creates a look and a unique phrase that the bank's system will display on the customer's personal computer screen every time the customer tries to log on, he says.

The Enterprise Level

Other high-tech tools that financial institutions employ include network firewalls, which are a combination of hardware and software used to prevent access to some network resources; filters that screen content from the Web and e-mails; intrusion detection systems (IDS); security patches to programs they already operate; antivirus software; and anti-spyware software. IDS refers to hardware and software that identify and record attempts to compromise a network, and anti-spyware software detects software that has been installed secretly on a computer to intercept or take partial control over the user's interaction with the computer.

Sterling Savings also installs a tool on its computers that controls what kind of media devices can be connected to the computer and what can be downloaded from and uploaded to the computer, Klatt says.

The most sophisticated piece of security equipment that AmericanWest and Sterling Savings have implemented in the last few years is called a "security information management tool." That system collects data from all of the security tools, such as firewalls and intrusion detection systems, and runs a trend analysis to identify suspicious activity, Klatt says.

Certain components of STCU's data security system, such as antivirus software, are updated hourly, Tutt says. Upgrades to other systems, such as firewalls and IDS, are implemented as soon as vendors release them, she says.

An Expensive Task

As security issues rise in importance, investments in security eat up an increasingly large portion of banks' budgets. Griffith says capital expenditures on information security now consume 30 percent to 40 percent of AmericanWest Bank's overall information-technology budget. Five years ago, information security comprised about 10 percent of the IT budget, he says.

Klatt says Sterling Savings has multiple security-related projects going on all the time, and each project typically costs between US$50,000 and $200,000. He says he gets approval for all of the significant projects he thinks Sterling needs, but lobbying for upgrades sometimes can be a challenge.

"How do I make the case for something that hasn't yet happened?" Klatt says. He explains, "Spending money on information security is a form of insurance."

Six employees, including Klatt, work in Sterling's IT security department, although the bank also has other teams devoted to antifraud and online banking activities, he says. STCU's Tutt, who joined the credit union six years ago, says she was its first dedicated data security employee. Since then, it has hired an additional employee in that department. AmericanWest Bank has about seven employees in its IT department who focus mostly on security issues, but also has internal auditors and contracts out some security tasks, Griffith says.

Procedures and policies also constitute another critical component to banks' security systems. A key part of security policy is segmentation of systems, Klatt says. Sterling keeps systems that house customers' confidential information as separately from its management systems as possible by using separate equipment and networks for each. Banks also typically house important records and documents in multiple physical locations, both for security and redundancy purposes, he says.

Banks also follow the principle of limited access and segregation of duties, so that employees don't have unrestricted access to records and more than one person must authorize any significant transaction, Griffith says. Additionally, AmericanWest builds access controls into its software applications to ensure that the information available to employees is appropriate to their job functions, he says.

Security Audits

Banks must undergo annual security audits performed by federal and Washington state agencies, Klatt says. Since STCU is a state-chartered credit union, it isn't subject to a federal audit, but must undergo a state audit every 18 months, Tutt says. STCU, Sterling, and AmericanWest all say they also go through frequent internal audits, conducted by both their own employees and outside auditors with which they contract.

While banks can pour resources into high-tech equipment and create stringent protocols, some of the most important aspects of information security are far harder to control.

"We now have a pretty good grasp on the technology side of it," Tutt says. "What the bad guys have figured out is that the exposure lies on the soft side, that is, they can fool the people who control the technology."

STCU, Sterling, and AmericanWest all require employees to review security policies frequently, and the institutions hold seminars and training sessions about security-related topics. AmericanWest requires its employees to get recertified annually by taking a test about the bank's security policies, Griffith says.

For customers, banks provide information on their Web sites and send messages inside customer's bank statements about ways to mitigate security risks, such as by identifying and avoiding scams and choosing appropriate passwords, Klatt says.

Bankers at Sterling also typically have one-on-one conversations with large commercial customers and high-net-worth individual customers about how to mitigate security risks, particularly with regard to online banking, he says.

"Our biggest challenge is that most customers aren't up to speed on the various risks with online banking," he says. "You can have lots of great technology, but at the end of the day, your best return on investment is with education of staff and customers."