Security Enforcement: The Threat of a Pop Quiz Works Every Time
When you joined the rest of the class, which was in the same situation on the next Monday afternoon, (having not read chapter 14, or any of the previous chapters for that matter), you slipped into your seat and flipped open to chapter 14, the dreaded 1880s. You slid down further behind the big football player in front of you, hoping (upon hope) that the teacher didn't call on you to discuss the relevance of the Haymarket Square bombing and the Haymarket Affair. Then the sound of your American History teacher's voice sounds like a death knell across the room: "Class, close your books; we are having a POP QUIZ."
Now, here is a related story for all of you information security professionals out there who think you don't have to "study chapter 14."
If your regulator came to your institution tomorrow, would you be able to pass the "pop quiz" on security controls and protecting client data?
The British version of our banking regulatory agencies, the Financial Services Authority (FSA), has for the first time issued a fine for lax security. That's right; a fine was imposed even though there wasn't any evidence that a breach had taken place.
The FSA fined the Merchant Securities Group, a stock broker, 77,000 British pounds for having poor security controls and not protecting client details properly. (That is equivalent to more than $150,000 US.) Imagine the fine that the FSA will impose on the next firm that has a data breach? Ouch, I'm betting it will be at least eight figures. Security experts warn that the FSA has used this firm as a warning, and the next fines may be much higher.
Is this the wakeup call for British financial services companies? Margaret Cole of the FSA states: "We will not wait until information has been lost or stolen before taking action against a firm."
When I hear words like those, I remember those April nights spent poring over my American history text struggling to prepare for that next pop quiz that thankfully never came. For the majority of students, the threat of a pop quiz was the only thing that worked.
The question here for our American financial services companies is: If your regulator came to your institution tomorrow, would you be able to pass the "pop quiz" on security controls and protecting client data?
If our American banking regulators take the same approach as the FSA, there may be many institutions that will have to spend more time preparing for their examinations. (I can't recall any U.S. institution being fined for lax security.)
For some students and companies, only the threat of a pop quiz - or a fine - will spur them into action.