TJX Case Indictments: Lessons Learned
These criminal activities perpetrated by these individuals had a great deal of impact on the banking institutions - a different impact, in some ways, than the actual incidents had on the retail outlets. Take a look at some of the comments one of the stories received on this topic earlier during the week, and you will get a glimpse of the sentiments held among bankers throughout the country.
I have put together a list of 'Lessons Learned' from our team's point-of-view. Thousands of people who frequent BankInfoSecurity and CUInfoSecurity every week must have some additional lessons they learned. Please send these along. I am quite sure everyone in this community will be thankful. I know I will.
You will spend years building trust among your customers. It can be ruined in a matter of minutes.
Protect Customer Trust.
You will spend years building trust among your customers. It can be ruined in a matter of minutes - and at times through no fault of your own. Trust is fragile! Your institution's existence is dependent on it. Ok, if you have any doubts - here is a recent incident to jog our memory - IndyMac customers withdraw $1.3 billion in a week
KYC - Know Your Customers. It's second nature to bankers. One must know who they are dealing with. In recent times, BSA and other regulatory requirements have reminded banking institutions of the importance of knowing one's customers. Don't think of this as another regulatory checkmark. The extent of 'Know-Your-Customer' process, formal as well as informal, must match each customer's risk profile.
KYV. Disclaimer - I haven't seen this acronym used anywhere, so I will claim it. Know Your Vendors - There has been more regulatory guidance on this topic just in the past six months than I can remember in years preceding it. Let's accept it - this will be one of the biggest vulnerabilities for a majority of institutions for years to come. Understand the steps each and every vendor takes to protect your information. Sorry, I take it back - it's NOT your information. You are simply a custodian of that information, and you have an obligation to your customers to protect that information.
KNE. While I am at it, I will claim another acronym - KNE - Know Your Employees. At the end of the day, the fitness or effectiveness of a control is dependent on your employees. I am amazed that in this day and age there are still organizations out there who do not even conduct background checks while hiring employees handling their customers' sensitive information. This is not about being Big Brother. It's about due diligence. We don't leave our children with babysitters we don't know, or do we?
Technology can make your information more secure. Not always. There are technologies we use to enable business processes. There are technologies we use to implement security controls. Each one of these can have their own set of vulnerabilities. Understand these vulnerabilities, and remediate accordingly. Remember - the use of wireless technologies in an "un-secure" state is at the crux of TJX and other related incidents mentioned above.
Know your weakest link. Either mitigate or accept the risk. Not understanding the level of risk your organization is accepting is not an option.
Educate your customers. It will help you more than you can ever imagine. It's always easier for a criminal to target the most technically challenged consumers and businesses. If you have doubts, take a look at the number of phishing attacks still seen on a daily basis. Recently, the focus has shifted to target customers of community financial services organizations, the trusted authorities in their respective communities.
Educate your employees. They are the first line of defense. They are also the first ones to take a notice of suspected incidents, be it a social engineering attack against your organization or a weak control at one of your outsourced vendors.
Last but not the least, history tells us that it will repeat itself. There will be similar incidents in the future. An overused clichÃ© comes to mind, still holds in this case - It's not a matter of if, it's simply a matter of when.
There is no guarantee that these lessons learned will prevent these incidents from happening in the future. However, there is a fair chance that, being better prepared, we will be in a position to defend our organization somewhat better than we did this time around. That's my definition of risk management!