Content Copyright © 2008 Bloor. All Rights Reserved.
Watching the turmoil in the international banking
community I can’t help but wonder what the implications are for data security
in such difficult times.
We are used to banks being pretty good at security. For
decades they have been held up as the leaders in security as safeguarding
financial assets has been their stock in trade. Physical and technical security
are prerequisites of operating a bank, and those that failed to keep the
confidence of their customers soon saw investors running away.
But how does a collapsing bank still preserve the integrity
of their systems when staff are being laid off and institutions are bankrupt?
Who is left managing the systems when the lights are turned off? What threat
vectors are going to be on the up following this banking crisis?
Hearing that your employer has finally gone bang after
months of struggling to keep itself going will do little to motivate most of an
institution’s staff. In the past they may have felt a high degree of loyalty to
a place they have worked for many years but this changes when next month’s
mortgage cannot be paid.
In these circumstances attitudes to company assets change
and some people feel obliged to take a laptop, server or memory stick in lieu
of payment. Despite being illegal, who is going to police the anarchy that may
ensue prior to the arrival of the administrators? Forget the contract security
staff, they have already been withdrawn as their invoice won’t get paid.
I dread to think of the amount of data that will be
leaving in cardboard boxes, or their virtual equivalent, from these collapsing
institutions. No doubt it will be customer lists, account data, email files,
proposals, project files and everything else you can think of.
As staff feel fed up and embittered they become easy prey
to criminal gangs looking at hiring key players in an attempt to bolster up
their operations. Far fetched? Well I am sure it is an opportunity not to be
missed. The chance to become an “IT consultant” is appealing to many, and when
you need to pay a mortgage your choice of customer base may be less picky than
My previous papers concerning the people threat had the competent
and malicious inside threat down as a very small percentage of a typical
employee base. In some financial institutions I am sure this percentage will
rocket as people look to preserving their own situation.
Important tasks such as computer account provisioning
will come under strain as people are made redundant or redeployed. In all
likelihood there will be hundreds of old accounts sitting and still active
despite their owners moving on. If these accounts allow remote access then
ex-employees can have system access for months to come. This is difficult to
manage at the best of times—compound this with today’s issues and you have
another huge security problem.
IT security managers, one hopes, will realise this and
ensure systems are extra protected. But that is assuming the IT security
managers feel sufficiently safe themselves. After all who is going to police the police?
Of course the criminal fraternity will see the banking
turmoil as a great opportunity to phish for new victims. Emails supposedly coming
from defunct or almost defunct banks will urge the general public to change their
banks as soon as possible for fear of losing their deposits.
People will panic
and feel obliged to move money, even if it is simply spreading the risk amongst
different institutions to keep under the £35,000 guarantee limit on deposits
from the UK government. Other gangs will tempt those wanting to move money into
other commodities such as gold and no doubt offer tremendous deals on
Previously stable IT security systems will be messed
around with as services are quickly brought together under huge pressure to support
a merger, leaving a trail of holes in the security infrastructure.
As institutions merge there will be bun fights as people
strive to keep their jobs. Talented individuals are already circulating their
CVs ready to go quickly if or when their post is threatened. Unfortunately in
my experience it is often the brightest and the best that go first as they have
the gumption to try and resolve their
situation. This creates a vicious circle as less experienced people are left to
mash together ever more complex systems.
It will be interesting to monitor IT budgets and spending
on IT security over the coming months. Undoubtedly budgets will come under
scrutiny, and new projects cancelled or put on hold. Upgrades to security defences
will probably be delayed as they have to be justified all over again.
Unfortunately this reduction in spend will probably coincide with an increase
in threats as the bad people look to exploit weaknesses within the banking
IT security vendors will be looking to their traditional
early adopter customer base, the financial institutions, and be wondering what
is going to happen. Hopefully the smarter ones will try and see this as an
opportunity but it is still going to hurt at some point.
Am I painting a too gloomy picture?
I don’t think so, instead I think this is a realistic
sketch of the IT security issues we are now facing. And you know what? I
already have it on good authority that ex-employees of a now defunct bank have
been out to buy a caddy for a newly acquired hard disk.
I bet I know where the disk came from.