With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?
One of the immediate consequences of the recent turmoil in the financial markets and the bank mergers and takeovers that have resulted was an increase in the number of phishing attacks, writes Paul Williams, strategy chair of ISACA and IT governance adviser to Protiviti. Fraudsters will always spot an opportunity in uncertainty, and financial institutions and their customers have to be alert to this. Only a tiny proportion of phishing attacks ever come close to succeeding but, with the high levels of market uncertainty it is probable that, while still very small in number, more of such attacks will have yielded positive results for the fraudsters compared with more stable times.
While most enterprises in financial services have generally understood the need for high levels of security and have applied themselves to implementing and managing effective and appropriate security measures, there is little doubt that risk will have increased throughout and following any major market upheaval. The diversion of management focus onto other matters, including survival, and the widespread redundancies that also have occurred will all contribute to increased risk.
Traditionally financial services enterprises have categorised risk into three types, credit risk, market risk and operational risk. Security primarily is related to operational risk. It is clear that the recent financial markets difficulties have been centred mostly on market and credit risk with operational risk receiving significantly less attention. This does imply that there has been, and continues to be, a greater likelihood of security being weakened throughout this period. Enterprise management, including their audit committees, internal auditors, and security specialists must work together to manage this risk. This will include ensuring that appropriate skills are not lost in any essential redundancy programmes. Care must be taken also to ensure that access rights for those staff leaving are revoked at the earliest opportunity. Staff who are unhappy with their treatment during any organisational rationalisation will represent a potential security threat.