LAS VEGAS -- Midmarket financial firms, struck hard by global economic concerns, are facing a challenging threat environment while trying to trim operational costs – a process that is putting further strain on IT security professionals.
Bryan E. Simon, senior systems and security specialist at Prince George, British Columbia-based Integris Credit Union, constantly struggles with balancing the need to maintain around-the-clock uptime while defending his firms' systems from a mixture of internal and external security threats.
Simon, who presented at the McAfee Focus 10 conference, is one of only two IT professionals assigned to the credit union's IT security operations, a weighty task for only two people to protect 50 servers and seven branch locations from external attacks while ensuring the firm's 180 employees are following security procedures.
"If there is a data breach, I don't know why a customer would stay with us," Simon said. "It's a thought that is always going through my mind."
Simon struck a common theme in not only the financial industry, but also in IT security where security professionals are stretched thin, further stymied by a weak global economy that has business executives tightening IT security budgets. Simon ticked off a list of common security best practices, from deploying encryption on endpoint devices to deploying host-based intrusion prevention systems, but ultimately midmarket firms are going to find it difficult to put in place all best practices, he said.
Like any midmarket firm, Integris Credit Union balances security and operational costs on almost a daily basis, Simon said. But the financial institution is also pressured by tough regulations, which should not only be met but exceeded if the firm expects to ward off dangerous malware like Zeus and protect its financial systems from being penetrated by network-based attacks, he said.
"We've all seen stories where organizations were compliant and they were still breached," Simon said. "I think people get these check boxes and put this work in, but they miss a few other things because it's not part of a regulation. I try to make my security posture make me compliant with regulation by applying security best practices across my environment with the hope that it reaches over a number of regulations."
Accidental data leakage is always a concern, Simon said. People don't intend to do bad things, but business processes or controls sometimes aren't implemented properly or employees look for ways around a specific process for speed and efficiency.
The credit union is almost entirely standardizing on McAfee, wooed by the security vendor's centralized management console. An IT security administrator at a New York-based financial firm, who declined to give his name, said standardizing on a single platform is always an attractive option for firms with minimal IT staff. Larger financial organizations typically choose a mixture of security products, sticking to the best-of-breed philosophy when selecting security technologies.
"It's nice to have centralized management, but you also have to have different solutions in place in case something serious happens," he said. "It's no surprise that our industry has been under a great deal of strain, so I can see why some organizations are trying to standardize."
Tony Chew, the head of the Technology Risk Supervision Division of the Monetary Authority of Singapore, which enforces strict guidelines over financial firms operating in that country, said he has seen banks and other financial firms struggle to maintain tough security standards in the wake of the global economic crisis. Authentication has been one of the most challenging issues for organizations, he said. Banks can't expect their customers to take sole responsibility over safeguarding their passcodes, PIN numbers and other authentication information. A mixture of user education and tougher safeguards are needed, he said. Current protections are falling short.
"Customers have their own responsibility not to endanger the safety of their PINs, but we know that PINs are inherently vulnerable, so there have to be better solutions than just relying on customers not disclosing or inadvertently exposing their PINs," Chew said.