Back in 1970, Walt Kelly’s comic character “Pogo” introduced the now famous quote – “We have met the enemy and he is us.” 35 years later, we ought to be thinking the same way about access to personal information over the Internet.
In the early days of Internet froth, the Social Security Division of the Federal government provided a full financial history to anyone who entered a social security number online. Maybe you entered your own. Maybe someone else entered a lot of other people’s social security numbers. All revealed the same wealth of personal information. A year later, that capability was shut down.
Yet today it’s not terribly difficult to find scanned images of mortgage documents over the Internet. Just look at town clerk web sites throughout the country and you’ll be able to download loan document images, find social security numbers, work histories, previous residences, incomes sources, investments and more.
Lest we lean back smugly in our office chairs, think of the last board packet your institution emailed to its directors. Most likely it consisted of text and spreadsheet files. Most likely this information was not encrypted or password protected in any way. How many mortgage papers were in those files? How many employee names? How much confidential information about your institution’s financial health?
We could cite example after example of lapses in our collective security of personal information, but the point is this: if we really believe that we must protect personal information from disclosure over the Internet, we need to attack the problem far more aggressively.
Five years ago, the financial industry breathed a sigh of relief at the passing of Y2K. We had survived a year plus effort to catalog all the systems and programs vulnerable to date problems once the year rolled from 99 to 00. We need the same effort to stop the disclosure of personal information over the Internet.
This won’t be as tough on the financial industry as it will be for unregulated businesses and individuals. Banks and credit unions already have a security focus and the annual examination process grows tighter every year.
The biggest black hole in securing personal information lies in the policies and practices of our unregulated brethren who justify their weaknesses with claims of ignorance, thoughtlessness or just plain stupidity. While the excuses rain down like crocodile tears, the risk of fraud is rising.
To regain control of the situation, we need to:
There is no rug to sweep breaches under. Prevention and containment need to be active management programs that are understood by all employees.
Just as we dig for operational efficiencies and expense control, we need to dig for opportunities to increase security. Criminal minds never stop trying to break the system. We can’t afford to stop anticipating the next criminal exploit.
Customers are excellent canaries in our information mineshafts for phishing and other spam-based exploits. At the same time, customers are also the unregulated folks who allow exploits to flourish by opening infected emails and not patching their PCs. By encouraging safe security practices at our customers’ sites, we help the banking industry by restricting opportunities for fraud.
We can be our own best enemies as well as our own best friends, and ignoring either possibility increases our vulnerability. Said differently, if we ignore our capacity for error, we miss opportunities that fraudsters will eventually exploit. If we ignore our strengths, we eliminate resources that can prevent and contain an attack.
We’ve cited “take always” in Pogo as well as Y2K. But another event speaks to our potential for breach – September 11, 2001. Until that date, America regarded terrorism as something that happened in far away lands. Our border security was lax. Our airport security was lax. Our Internet security was lax. After September 11, we began to understand our vulnerability.
Knowing what we know now, we need to ask ourselves one question when we look in the mirror: Do we see an ally or an enemy in the war against security breaches and fraud?