by Alan Royal
Oct 23 2015
Our current state of IT and associated data security is largely due to a drive toward innovation on various fronts without ensuring that associated security threats are fully addressed. On almost a weekly basis, organizations, both public and private, are reporting security breaches. Thus the topic of security has become a top of mind issue.
When, we consider the scope of IT and associated information technology security, the answers are now multi-topical. We must consider the broad array of mobile hand held technology, on multiple operating systems, manufactured by a multitude of vendors. Consideration has to also be also given to emergent wireless data interception threats. And if that was not enough, we now have “the cloud" (data and services hosted on off-site servers that is accessed via the internet), and all its related security implications and threats. Therefore, it is easy to see why the topic of security is becoming a top of mind issue for CIOs around the world. The real question at hand is what do we do about our lived reality in today’s environment regarding IT security? This publication hopefully provides some practical answers to this question.
Actions to Consider Now
Biometric technology is on the cusp of being available to the mass market as a proven reliable technology. With this technology sitting on top of existing user ids and passwords, fraudulent use risk can be virtually eliminated. These technologies largely rely on fingerprint or facial recognition as the basis to provide for authorized use. In addition, there are advances being made with wireless communication encryption and far better designed ATMs that will shut down immediately upon any indication of a machine intrusion.
Proactive Communicating and Educating Customers
Virtually everyone around the world recognizes that IT data security is a current evolving issue. With that said, few organizations seek to educate their customers regarding the types of threats out there and the organization’s active efforts to mitigate these risks.
Through communicating in a relevant manner with customers about the security issues at hand and what is being done to mitigate those, customers will no longer be uninformed regarding data security risks the organization is working to mitigate. To date, few organizations are sharing what they are doing as an organization to address their specific relevant security risks. When done in a balanced manner, the appropriate level of openness and transparency can materially enhance a brand’s reputation.
Customer Selected Risk Appetite
How can customers interacting with organizations mitigate their security risk? Using banks as an example, it might be technologically feasible within organizations, for customers to choose their own particular risk tolerance, based upon a list of banking interaction options. For example, a wealthy senior citizen might choose the lowest risk interaction option, resulting in all banking being conducted only within a brick and mortar institution. This in contrast to the millennials who might chose a high risk interaction option which enables transactions to be made available on any device or type they choose, along with the storage of potential personal information. When customers choose among risk-based interaction options, they are transacting business with an organization, along with acknowledging the associated risk.
Embedded within this discourse, involves the topic of acceptable risk. IT innovation is largely staying ahead of the IT security vendors. Thus consumers, without being told otherwise, assume their transactions will be 100 percent secure through any interaction channel. Through customer communication as appropriate, along with transaction processes which reflect their risk appetite, the customer would feel some level of control in their banking channel options.
A Future Course Strategy
The Data Safe
Within an organization, consideration should be given to a multi-layered firewall that is completely disconnected and inaccessible to employees or the external world. Data access is provided though a tightly limited single API, which is monitored 24 hours a day. As there is no true way to ensure 100 percent inaccessibility to unlawful security penetration, despite what vendors might communicate, a new view toward data and its related security is necessary.
Using a banking example again, involves a customer going to an ATM to withdraw money. A system is initiated which provides the customer’s account balance to the ATM to authorize the withdrawal. Present day ATMs load several programs and pass sensitive customer data from the system to the ATM, a penetrable machine. In contrast, through the use of a data safe, the API would return to the ATM a simple “Y” or “N” keeping sensitive account balance and authorization data secure and away from the ATM itself.
The “data safe” paradigm represents the extreme consolidation of data made available, and internal/external data access based upon a banks firewall fortress. However, it does raise the question about whether or not too much customer data being made available for access, and is the data stored in to many accessible places. As described above, customers are going to have to be the deciders of how broadly their data is available. This question again comes back to the concept of a customer’s acceptable risk.
This publication represents practical steps that can be executed against now. The factual reality all consumers live with today is their level of acceptable risk. Despite the efforts of the largest hardware/software vendors to maximize IT security on a constant basis, highly skilled data hackers, from around the world, are opportunistically penetrating the most sophisticated software technology available. It is highly likely that this constant battle will continue.