SAINT-PAUL-DE-VENCE, FRANCE — Banks are pushing customers to go online like never before, but few are making sure their systems are hacker-proof, according to statistics recently released by the FBI.
A study by the U.S. Federal Bureau of Investigation indicates there were 17,672 hacker attacks in 2000, a 79 per cent increase from 1999. That means what was once a skill known only to programmers has become a hobby of suburban script kiddies, says James Finn, principal, Unisys worldwide security and privacy consulting practice.
And while banks think they have created a secure environment for their clients to transact electronically, too many continue to be infiltrated by hackers.
“It is the one thing your clients demand and expect from you, and if you don’t provide it they will leave you,” said Finn, who has consulted on security for the U.S. government. “It’s not how much you pay on their savings or the reduction on their loan rate but whether you can provide security. Customers will lose something they can never get back again. What is your plan if you lose control of your client’s personal information?”
Finn was speaking as part of the first annual Unisys financial services conference: Leaders, Lemmings or Laggards held this week near Nice, France.
Hacker and computer viruses cost businesses around the world an estimated US$1.5 trillion in 2000, said Finn.
“It’s difficult to get anyone to quantify losses, but the FBI got 186 companies to admit to losses of $377 million or roughly $2 million each,” he said. “There must also be the consideration for brand damage as well as financial loss.”
The FBI report, released earlier this year, also shows that a successful attack against the banking and financial system could cripple the U.S. in three days. Finn displayed a list of banking and insurance companies from around the world that had experienced an attack in the last year. The list included Citibank and Guardian Insurance, two of the largest financial institutions in the world.
Part of the problem, says Finn — who admits he won’t bank online himself — is that banks are trying to address the issue of security with few resources and a limited IT staff.
He says companies are burying their heads in the sand if they think security levels are where they should be. The problem is further exacerbated, because 80 per cent of all computer crime goes unreported and undetected.
The operating system hacked most often in 2000 was Windows NT with 12,101 incidents reported, followed by Linux at 3,347 and Solaris at 588.
“But it doesn’t really matter what operating systems you use, it’s the security you put in place,” said Finn. “And just because you have a firewall doesn’t mean it’s secure. There is no one thing you can purchase in enterprise security that can buy guaranteed security.”
Concerns around security also raise questions about who is liable when a Web site falls victim to hacker attack, even if a site is simply defaces with graffiti. Not surprisingly, that has prompted a U.S. insurance firm to jump on the concept of insurance designed to address potential e-business crime such as fraud and cyber-extortion.
“The risks in the virtual world are real and all too prevalent,” said Ty Sagalow, executive vice-president and COO with American International Group (AIG), a provider of Internet-risk insurance. “But despite the use of technology, there is no silver technology bullet to answer this problem.”
Launched a year ago, AIG’s eBusiness Risk Solutions arm (aignetadvantage.com) provides network security, payment and credit insurance to large firms. The company has 1200 clients, claiming 70 per cent of the market.
“Simply having a Web site creates the potential for legal liabilities,” said Sagalow.