In the week prior to this writing, two incidents involving banks and the security of their customer information became news items.
One, an outright scam using e-mail solicitation and aimed at getting the customers themselves to disclose account information, targeted banks in Canada and the U.K. The other involved a Canadian bank and its disposal of obsolete servers containing sensitive data that found their way, albeit briefly, onto eBay.
Both incidents revolve around the human factors in security. In the case of the scam, the perpetrators created Web sites that emulated those of the target banks. They then employed the tools of the con man – e-mails purporting to be from the target bank, and designed to take advantage of that human failing, gullibility, to fool people into divulging account information.
The second incident is one that many CIOs may risk in the process of disposing of old equipment. In this case the human factor played two roles. First, the human error, which allowed the wrong pair of servers to be shipped by the company engaged to sanitize and resell them. Second, the incident’s severity was limited by the human intervention of the reseller who ultimately received the servers, and who, having discovered the data still intact on the hard drives, removed them from the eBay auction and notified the bank.
The last point was a lucky break. The reseller discovered the data, recognized that it was a problem and was honest enough not to expose the data publicly or try to exploit it. It’s not something you can rely on to rescue an insecure procedure.
Chris Conrath’s feature on security, The Buck Stops Here (see page 36), recognizes the daunting challenge security can represent for the CIO, but it also offers some useful advice to help meet it. It also makes the connection between security and privacy. A good example of which is the second incident described above wherein the insecure process of disposal potentially compromised the privacy of customers – possibly in violation of Canada’s privacy laws.
The incidents mentioned here both happen to involve banks. For the record, banks are generally rated highly in their security practices and their efforts to protect customer data. It just makes plain business sense that they should. They are also an obvious target and very public. But we’re all vulnerable to some degree, and it’s the human factors that seem to be the most difficult to manage.