Watching the turmoil in the international banking community I can't help but wonder what the implications are for data security in such difficult times.
We are used to banks being pretty good at security. For decades they have been held up as the leaders in security as safeguarding financial assets has been their stock in trade. Physical and technical security are prerequisites of operating a bank, and those that failed to keep the confidence of their customers soon saw investors running away.
But how does a collapsing bank still preserve the integrity of their systems when staff are being laid off and institutions are bankrupt? Who is left managing the systems when the lights are turned off? What threat vectors are going to be on the up following this banking crisis?
Hearing that your employer has finally gone bang after months of struggling to keep itself going will do little to motivate most of an institution's staff. In the past they may have felt a high degree of loyalty to a place they have worked for many years but this changes when next month's mortgage cannot be paid.
In these circumstances attitudes to company assets change and some people feel obliged to take a laptop, server or memory stick in lieu of payment. Despite being illegal, who is going to police the anarchy that may ensue prior to the arrival of the administrators? Forget the contract security staff, they have already been withdrawn as their invoice won't get paid.
I dread to think of the amount of data that will be leaving in cardboard boxes, or their virtual equivalent, from these collapsing institutions. No doubt it will be customer lists, account data, email files, proposals, project files and everything else you can think of.
As staff feel fed up and embittered they become easy prey to criminal gangs looking at hiring key players in an attempt to bolster up their operations. Far fetched? Well I am sure it is an opportunity not to be missed. The chance to become an "IT consultant" is appealing to many, and when you need to pay a mortgage your choice of customer base may be less picky than otherwise.
My previous papers concerning the people threat had the competent and malicious inside threat down as a very small percentage of a typical employee base. In some financial institutions I am sure this percentage will rocket as people look to preserving their own situation.
Important tasks such as computer account provisioning will come under strain as people are made redundant or redeployed. In all likelihood there will be hundreds of old accounts sitting and still active despite their owners moving on. If these accounts allow remote access then ex-employees can have system access for months to come. This is difficult to manage at the best of times—compound this with today's issues and you have another huge security problem.
IT security managers, one hopes, will realise this and ensure systems are extra protected. But that is assuming the IT security managers feel sufficiently safe themselves. After all who is going to police the police?
Of course the criminal fraternity will see the banking turmoil as a great opportunity to phish for new victims. Emails supposedly coming from defunct or almost defunct banks will urge the general public to change their banks as soon as possible for fear of losing their deposits.
People will panic and feel obliged to move money, even if it is simply spreading the risk amongst different institutions to keep under the £35,000 guarantee limit on deposits from the UK government. Other gangs will tempt those wanting to move money into other commodities such as gold and no doubt offer tremendous deals on too-good-to-be-true investments.
Previously stable IT security systems will be messed around with as services are quickly brought together under huge pressure to support a merger, leaving a trail of holes in the security infrastructure.
As institutions merge there will be bun fights as people strive to keep their jobs. Talented individuals are already circulating their CVs ready to go quickly if or when their post is threatened. Unfortunately in my experience it is often the brightest and the best that go first as they have the gumption to try and resolve their situation. This creates a vicious circle as less experienced people are left to mash together ever more complex systems.
It will be interesting to monitor IT budgets and spending on IT security over the coming months. Undoubtedly budgets will come under scrutiny, and new projects cancelled or put on hold. Upgrades to security defences will probably be delayed as they have to be justified all over again. Unfortunately this reduction in spend will probably coincide with an increase in threats as the bad people look to exploit weaknesses within the banking community.
IT security vendors will be looking to their traditional early adopter customer base, the financial institutions, and be wondering what is going to happen. Hopefully the smarter ones will try and see this as an opportunity but it is still going to hurt at some point.
Am I painting a too gloomy picture?
I don't think so, instead I think this is a realistic sketch of the IT security issues we are now facing. And you know what? I already have it on good authority that ex-employees of a now defunct bank have been out to buy a caddy for a newly acquired hard disk.
I bet I know where the disk came from.