Given this it must be rather depressing for IT managers working in banks that despite their efforts the press coverage around leaked financial information has been so bad over the last six months or so. Some of the reasons for this are largely beyond the control of the banks themselves.
Many of the data leaks have been due to the carelessness of third parties. Sloppy handling of credit card details by retailers, government departments cavalier in their handling of citizens' data or consumers falling victim to scams. What can the banks do?
First they need to make sure that whatever dangers outsiders expose them to they know who is doing what on their own systems. This requires strict asset management and auditing of access to data and how it is used. But it needs to go beyond this.
Internal processes for handling data need to be clearly defined and easy to follow. It is all too easy to blame a lowly employee for being daft enough to put an unencrypted disk in the post, but they were only trying to do their job and poor processes allowed them to copy the data to disk in the first place. Accountability needs to be pushed upwards to those who define the processes.
It is not just banks' employees that need better education it is customers too. Customers like internet banking and the immediate access it gives them their own financial affairs. Nearly all customers are on the same side as the banks, they don't want to provide thieves access to their accounts any more than the banks do. But many are still duped by seemingly obvious scams.
Much financial fraud is not down to direct access to individual accounts but is through fraudsters applying for loans etc by successfully passing themselves off as a respectable individual. With a list of details including names, address, dates of birth and account details that the UK government at least, seems to make so readily available to anyone, this can be all too easy to do.
Here banks can invest in technology that can spot when a PC is likely to be used for making fraudulent applications. Vendors like Iovation provide technology that spots anomalous activity, such as serial loan applications from a single device and maintains a library of known rogue devices.
Banks will never be able to completely curtail bad data management practices by outsiders, but ultimately it is the banks and the banks alone that have responsibility for who can access their systems and who they dish our money to.
If banks can demonstrate firstly that they are not themselves responsible for data leaks, that they share data with 3rd parties securely and that when data is leaked their access controls and processes for handling potentially fraudulent applications are water tight then they should be able maintain customer confidence.
Not getting all this right can prove very expensive. It is not just the immediate financial losses incurred though theft and the compensation that might have to be paid to customers. It is the more serious long-term damage to brand reputation and the loss of customer confidence and loyalty that is likely to entail.
