With the bank failures of recent weeks, more pending
redundancies and a continuation of the downward slide, should we be
concerned about lax security? Is someone minding the store while
all this is going on or should we be doing something more when the
banks are going bust?
One of the immediate consequences of the recent turmoil in the
financial markets and the bank mergers and takeovers that have
resulted was
an increase in the number of phishing attacks, writes Paul
Williams, strategy chair ofISACAand IT
governance adviser to Protiviti. Fraudsters will always spot
an opportunity in uncertainty, and financial institutions and their
customers have to be alert to this. Only a tiny proportion of
phishing attacks ever come close to succeeding but, with the high
levels of market uncertainty it is probable that, while still very
small in number, more of such attacks will have yielded positive
results for the fraudsters compared with more stable times.
While most enterprises in financial services have generally
understood the need for high levels of security and have applied
themselves to implementing and managing effective and appropriate
security measures, there is little doubt that risk will have
increased throughout and following any major market upheaval. The
diversion of management focus onto other matters, including
survival, and the widespread redundancies that also have occurred
will all contribute to increased risk.
Traditionally financial services enterprises have categorised
risk into three types, credit risk, market risk and operational
risk. Security primarily is related to operational risk. It is
clear that the recent financial markets difficulties have been
centred mostly on market and credit risk with operational risk
receiving significantly less attention. This does imply that there
has been, and continues to be, a greater likelihood of security
being weakened throughout this period. Enterprise management,
including their audit committees, internal auditors, and security
specialists must work together to manage this risk. This will
include ensuring that appropriate skills are not lost in any
essential redundancy programmes. Care must be taken also to
ensure that access rights for those staff leaving are revoked at
the earliest opportunity. Staff who are
unhappy with their treatment during any organisational
rationalisation will represent a potential security threat.
Read more expert advice from the Computer Weekly Security Think
Tank >>