Information Security: Are You Prepared to Answer Your Customers' Questions?
So, here it is - a question that has been on my mind since the very first time I saw my bank's name in the press, citing some sketchy details about a system compromise. I expected a phone call from someone working in the bank's super-mega-call center, reading from a script written by some marketing genius. Something to the tune of 'How sorry we are. We take our customer's security very seriously'.....blah, blah. You know the drill. Anyway, the call never came. Not even a form letter. I was kind of disappointed. I wanted to see how my bank reacted to this so-called compromise that the press was talking about.
Having been in this industry, I gave my bank benefit of doubt that they had appropriate monitoring practices in place, providing them with enough information to ascertain with confidence that my account was not among the ones that had been 'compromised.' Hence, no call! Not even a form letter clarifying what the press was talking about.
What if I walk over to the bank I have been with for the last number of years and ask them about a statement of their information security practices?
Well, that was then! This year alone I have received about a half-dozen notices either from my bank or some type of transaction-processing company they use. These notices range from 'We suspect a breach' to 'We take our customers security seriously' and everything in between. I doubt I am the only unfortunate customer to receive so many notifications from banking institutions. Rather, I am one of the hundreds of thousands of customers to receive such notifications.
So, here's the question I've had for years now (and the recent audit reports from the Government Accountability Office on the FDIC (FDIC Cited for Repeated Security Weaknesses) and the regional Federal Reserve Banks (Federal Reserve Banks Cited for Security Deficiencies) reminded me of my evil thoughts): What if I walk over to the bank I have been with for the last number of years and ask them about a statement of their information security practices?
I am not looking for a 'We take our customers security seriously' type statement. I am thinking about seeking something akin to what a banking institution would ask of their third-party-service providers (TSPs) to assess the fitness of their information security program. Something material, something that shows due-diligence on my bank's part when it comes to protecting the information with which I have entrusted them with. I think of my bank as a service provider to my family. I am a customer. Shouldn't I have, as some of our marketing friends say, 'privileges' to inquire about the health of my information of which the banks are custodians?
During the past couple of weeks, we have heard some water-cooler discussions on some of the items noted in the GAO report during their audits of the FDIC and the regional Federal Reserve Banks. Yes, there is some work that needs to be done. There always is after an audit! The most interesting aspect of these audits, in light of the point I raised above, is that they are transparent. They provided us with information on what needs to be done at these agencies with regards to Information Security controls.
Back to wearing my banking customer hat for a moment - I want similar transparency, even if not to the same degree, from the banking institutions on the fitness of their information security practices.
So, there you have it. I have said it after thinking about it for years! When I said 'I want similar transparency....' I get a sense that I am not alone. I happen to be in the industry and understand the intricacies and the challenges of providing such information. An average customer doesn't, and they don't have to understand. It's only a matter of time, though, before we start fielding requests from customers about information security practices. It could be at the time they receive another notification from their bank, or the next time they read about a missing tape. 'We take our customers security seriously...' will be so1869 before we know it. It will be time for some hard facts.
Borrowing words from a banker friend of mine, 'The word banking is synonymous with trust.' Maintain this trust before it starts fading away.
Let me get back to work on re-building those friendships until I come up with some other crazy ideas.