Meeting the Enemy in the Mirror
By John Jaser,
Internet Services Manager
Back in 1970, Walt Kelly’s comic
character “Pogo” introduced the now
famous quote – “We have met the enemy
and he is us.” 35 years later, we ought
to be thinking the same way about access
to personal information over the
In the early days of Internet froth, the
Social Security Division of the Federal
government provided a full financial
history to anyone who entered a social
security number online. Maybe you
entered your own. Maybe someone else
entered a lot of other people’s social
security numbers. All revealed the same
wealth of personal information. A year
later, that capability was shut down.
Yet today it’s not terribly difficult to
find scanned images of mortgage
documents over the Internet. Just look
at town clerk web sites throughout the
country and you’ll be able to download
loan document images, find social
security numbers, work histories,
previous residences, incomes sources,
investments and more.
Lest we lean back smugly in
our office chairs, think of the last board
packet your institution emailed to its
directors. Most likely it consisted of text and
spreadsheet files. Most likely this information
was not encrypted or password protected in any
way. How many mortgage papers were in those
files? How many employee names? How much
confidential information about your
institution’s financial health?
We could cite example after example of lapses in
our collective security of personal information,
but the point is this: if we really believe that
we must protect personal information from
disclosure over the Internet, we need to attack
the problem far more aggressively.
Five years ago, the financial industry breathed
a sigh of relief at the passing of Y2K. We had
survived a year plus effort to catalog all the
systems and programs vulnerable to date problems
once the year rolled from 99 to 00. We need the
same effort to stop the disclosure of personal
information over the Internet.
This won’t be as tough on the financial industry
as it will be for unregulated businesses and
individuals. Banks and credit unions already
have a security focus and the annual examination
process grows tighter every year.
The biggest black hole in securing personal
information lies in the policies and practices
of our unregulated brethren who justify their
weaknesses with claims of ignorance,
thoughtlessness or just plain stupidity. While
the excuses rain down like crocodile tears, the
risk of fraud is rising.
To regain control of the situation, we
1. Take security breaches seriously.
There is no rug to sweep
breaches under. Prevention and containment need
to be active management programs that are
understood by all employees.
2. Relentless pursuit of security.
ust as we dig for operational
efficiencies and expense control, we need to dig
for opportunities to increase security. Criminal
minds never stop trying to break the system. We
can’t afford to stop anticipating the next
3. Enlist customers in the security effort.
Customers are excellent
canaries in our information mineshafts for
phishing and other spam-based exploits. At the
same time, customers are also the unregulated
folks who allow exploits to flourish by opening
infected emails and not patching their PCs. By
encouraging safe security practices at our
customers’ sites, we help the banking industry
by restricting opportunities for fraud.
We can be our own best enemies as well as our
own best friends, and ignoring either
possibility increases our vulnerability. Said
differently, if we ignore our capacity for
error, we miss opportunities that fraudsters
will eventually exploit. If we ignore our
strengths, we eliminate resources that can
prevent and contain an attack.
We’ve cited “take aways” in Pogo as well as Y2K.
But another event speaks to our potential for
breach – September 11, 2001. Until that date,
America regarded terrorism as something that
happened in far away lands. Our border security
was lax. Our airport security was lax. Our
Internet security was lax. After September 11,
we began to understand our vulnerability.
Knowing what we know now, we need to ask
ourselves one question when we look in the
mirror: Do we see an ally or an enemy in the war
against security breaches and fraud?