Security and the Bottom Line

By Elizabeth Wasserman

Bank of America announced in May that it has invested in a new, industry-leading security feature to help its 13.2 million online banking customers fight fraud and identity theft. In doing so, Bank of America joined a growing number of financial institutions responding to the alarming rise in online "phishing" scams. Through these attacks, phishers try to trick computer users into divulging personal and financial account information by sending them phony emails with links to spoofed Web sites that look legitimate. Bank of America has tried to educate its customers about such scams through an awareness effort, but ultimately the Charlotte, N.C.-based company decided to deploy new authentication technology to reassure consumers and protect the bank from theft.

CIOs understand how costly network security threats are.  Recent history is full of worms and viruses that have taken a toll on productivity, financial resources, as well as hardware, software, and network equipment.  Phishing, spyware, and "pharming" -- which redirects users from legitimate commercial Web sites to bogus ones where their login name and password are often captured by thieves -- erode IT end users' confidence in the Internet, especially with regard to ecommerce. They can also damage a company's reputation, prevent it from doing business online with customers, and even compromise a company's ability to comply with new government regulations requiring protection of sensitive data.

But there is yet another reason CIOs must sound the alarm in the executive suite: These attacks have a measurable impact on the bottom line.

Gartner estimated in a 2004 report that 57 million people had been targeted by online phishing attacks. Those attacks cost banks, credit card companies, and other financial services institutions more than $1.2 billion in 2003, according to Gartner. Another recent survey found that businesses faced 50 percent more viruses in 2004 than they did the year before and that the cost of recovering from those attacks continued to grow. The survey, conducted by ICSA Labs and sponsored by several anti-virus and technology firms, found that when 25 or more computers were infected, system downtime increased 12 percent from 2003 to 2004. Average recovery time rose 25 percent. And the cost to fully recover averaged $130,000.

The potential business risks of online attacks are growing in part because the motives of the attackers are changing. "Viruses and worms have traditionally been more of a malicious attempt to make trouble. They might be targeted to disrupt a Web site or destroy information or use network resources to cause problems," said David Friedlander, a senior analyst at Forrester Research. "Phishing and pharming are clearly targeted at information theft. Everything is about financial gain. These people are organized and they are going to be much harder to fight off than a virus."

In addition to the financial implications, companies run the risk of regulatory compliance failure should these threats compromise their ability to assure data security, noted Friedlander. The Health Insurance Portability and Accountability Act of 1996 requires companies in the health care industry to protect confidential patient information. Laws impacting the financial services industry similarly require better safeguards over consumer financial data. Any entity that does business in California must comply with California Senate Bill 1386, which became effective in 2003, requiring any breach of security regarding personal information to be publicly disclosed.

CIOs need to point out to C-level peers the potential ramifications of these threats to the business, brand, and customer base. And they can arm themselves further by recommending the following steps for minimizing the impact of these threats:

• Assess risks to the company  This step involves identifying the risks to your industry sector. A bank may face a different risk from a threat like phishing than from an auto manufacturer, for example. But all companies face a threat to their practice of protecting confidential employee information.
• Develop a company policy of safeguarding sensitive information   The company may want to adopt a policy of encrypting sensitive information -- such as customer account information -- particularly if the data is covered under new regulations protecting consumer health or financial information. This policy may include a prohibition on carrying this type of information on laptops or other mobile devices, as those items are often attractive to thieves.
• Educate consumers and staff  Customers need to be told how the company will be contacting them in the future -- if the company intends to increase its customer correspondence by regular mail rather than by email, for example. The company should also provide customers with telltale signs of a spoofed Web site or an unauthorized email solicitation. Some companies mail these notices to their customers, but posting information warning of counterfeits on the company's Web site is also effective. At the same time, employees need to be made aware of threats so they can understand that security is also their responsibility, particularly if they handle customer Social Security numbers, bank account numbers, or other sensitive data.
• Consider technologies that can help  Many companies already have anti-virus programs protecting their network. Gartner forecasts that up to 90 percent of anti-virus programs will include anti-spyware tools by 2006 -- up from 10 percent in 2004. That may warrant an upgrade. In order to fight phishing, Forrester recommends three types of technology solutions:
     1. Alerting services that notify companies when they are being targeted
     2. Email validation solutions that identify the transmitter's server
     3. Web site validation software that provides customers with the assurance that they are visiting a legitimate Web site, not a spoofed one

Bank of America chose to incorporate some of these new authentication technologies into its plan to better protect its online banking customers -- and their business -- from the risks posed by phishing, pharming, and spyware, according to Betty Riess, a Bank of America spokeswoman. The company's new free service for customers is called SiteKey and the company touts it as similar to "getting a safe deposit box that takes two keys to open." The customer and the bank must confirm each other's identity before doing business. If a customer's ID and passcode are stolen via spyware or a fake Web site, a person trying to access an account from an unrecognized computer would have to answer challenge questions correctly. Before customers do their business, they can click on the SiteKey button to see their secret image and phrase. If that fails to appear, the site could be a spoof.

"Industry wide, these scams have become more widespread over the past couple of years," Riess said. "These are added measures that we can take to give our customers greater peace of mind and increase their comfort level online."

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.