Is the Future More or Less Secure?

The Economist online is currently hosting a debate about cybersecurity and specifically the question of whether we are headed for a more or less secure world as interconnectivity increases. My vote is "no" for the following reason which I posted to their debate site:

It would be quite difficult to compromise security if we each existed entirely in our own hermetically-sealed network like an egg in a carton or a standalone PC on a desk. Each connection with the outside world creates a perforation in the egg shell and creates a security risk in the form of a point of potential compromise. The perforation can be compromised or the "tube" connecting me to the next "egg" can be compromised. Further, the "egg" I'm connecting to can be compromised. Or an "egg" connected to the one I'm connected to can be compromised. As you can imagine, hyperconnectivity increases the number of points of potential compromise exponentially with time. 

Our current risk-mitigation approach tries to hermetically seal all the perforations, joints, and pipes by wrapping them in a "fortress firewall." This becomes exponentially more difficult with the increase in points of potential compromise. Attacks are inevitable, as are compromises until and unless our approach to risk mitigation shifts from a "fortress firewall" approach to one in which we can examine, wrap, and filter actual bytes of information as they float around cyberspace. 

While I don't know what this approach will look like in practice, I predict it will include a strong focus on data provenance. Imagine an "HTTPS 2.0" in which we not only wrap packets of data in an encrypted security layer, but also give that packet the ability to either reveal its contents or self-destruct based on who/what/where/when/WHY it is accessed. 

Until then, data security risk shall continue to increase.

Did You Know? ... The Makeup of the US Financial Services Industry

This is the first of a new "Did you know?" category of posts which will appear periodically on this blog. These brief posts will contain industry statistics relevant to risk and financial crime management.

Quite often, both in the Consulting arena and in Financial Services, analyses require an understanding of the industry. Hard statistics are often ... well ... hard to come by. My intention is to provide a quick public point of reference for this type of information.

Statistics posted here will carry a source URL link, as you can see below, or a citation.

Today's stats relate to the overall size and makeup of the US Financial Services industry. According to a recent report by the Department of Homeland Security:

1. Deposit and payment systems and products ($12 trillion in assets; 17,000 depository institutions)
2. Credit and liquidity products ($14 trillion in assets; many thousands of credit and financing institutions)
3. Investment products ($18 trillion in assets; 15,000 providers of investment products)
4. Risk-transfer products ($6 trillion in assets; 8,500 providers of risk-transfer products)

Quote of the Day: KYC --> EPS

An organization that positively knows its clients can obtain a commercial advantage over rivals.
- KPMG, Anti-Money Laundering Compliance in a Changing Risk and Regulatory World

Food for New Years Thought: The Future of Banking

Every consultant worth his salt is busy trying to write something prescient on the future business model for banks. GLG Research recently published a report calling out the following key parameters, with a focus on retail banking:

1. Peer-to-Peer (P2P) Lending: An advanced technology that eliminates middlemen and directly connects borrowers and lenders.

2. Prepaid General Purpose Reloadable (GPR) cards: In return for modest commissions, a global agency network of convenience stores and retailers are now enabling cards to be “loaded” with cash. When equipped with remote deposit check capture, direct deposit, bill payment and ancillary credit, savings and investment accounts, these cards make traditional bank branching redundant. eWallets such as those touted by ISIS, Google, Visa, Amex, Paypal and FaceCash are the offspring of GPR built on the same infrastructure; similar economics but a different, arguably more convenient, access device.

3. Social Media: Social media like Facebook and LinkedIn can offer insight into customer behavior that can be applied to enhance customer acquisition, retention, and even underwriting (http://www.freepatentsonline.com/20110112957.pdf).

Banks which are early movers in this area have a great opportunity to reverse the post-2007 profitability decline. Success, in my opinion, will depend on three things:

• Getting it done quickly
• Getting the customer experience right
• Getting the risk management right

Those aims are, in many areas, conflicting. A balancing act is required. Wading too timidly into these areas might cause impatient "early adopter" customers to defect, or at least decrease their activity level. Making a big splash in these areas without consideration of risk factors invites the wrong kind of customers and is sure to balloon losses.

Critical to all three of these emerging trends are the "Three Risk-Management A's of Next-Generation Banking"

1. Analytics: Collecting the necessary data about behavior as well as customer preferences to objectively understand and address behavior in a consolidated, risk-based, customer-centric manner 
2. Authorization: Making an informed, risk-based decision about what the bank allows the customer to do
3. Authentication: Making sure the transaction is being done by the customer, not a fraudster

Periodically on this blog, I will individually look at these trends, highlighting the risk implications for the future banking business model.

Employee Fraud Thanks to the Cloud

Peer-to-peer and cloud-based file sharing may have been designed by punk kids to get free music, but now some of those punk kids are punk employees of the world's financial institutions. They have not forgotten their craft, according to the Federal Trade Commission:

"when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network. ... we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft."
 -- FTC Chairman Jon Leibowitz on the FTC's website.

A very small fraction may intentionally use these technologies to steal sensitive or private information about the institution or its clients, but a far larger number are unwittingly exposing this information to the open Internet.


Coverage also at the Washington Post.
Many of my clients block P2P clients and websites as well as related traffic on company-owned PCs within the institution's firewall. PCs on desks in offices are probably safe. But before you pat yourself on the back, though, make sure you're looking at all potential exposure points. Wherever there's a hole punched in your corporate firewall, there's a potential loss. Ask yourself two questions:

1. Is the same level of protection and surveillance being placed on VPN, email, webmail, virtual web conferencing, mobile email, and all other devices which span across your firewall DMZ?
   
2. Is your monitoring / blocking technology based solely on the sources and destinations of traffic (ex. "safe" and "prohibited" IPs) or does it also monitor content? Perfectly benign channels such as email or virtual web conferencing usually allow files to be transmitted outside the institution in order to facilitate essential communication and collaboration. Can you, without killing these valuable tools, control WHAT data is transmitted?

 If not ... time to make a little space on the roadmap for new controls.

What the C-suite Needs to Know about Fraud: Elevator Pitch #4

What the C-suite Needs to Know about Fraud: Elevator Pitch #3