Symantec.com
Partners
About Symantec
cartCart
  CIO Digest Logo  
  Current Issue
 | 
 Back Issues
 | 
 Subscribe
 | 
 Advertise
 | 
 Online Only
 | 
 About
 | 
 Contact

Christopher Leach, Chief Information Technology Risk Officer, First Horizon National Corporation

Fighting Phraud

First Horizon National Corp. chooses a global approach to fix phishing attacks

Christopher Leach, the chief information technology risk officer at First Horizon National Corporation in Memphis, Tennessee, didn't need to read the reports by the industry groups and analysts to know that phishing attacks were increasing. Complaints from customers and noncustomers were escalating, and the emails bouncing back to the bank's mail gateways due to invalid addresses were choking the system.

Soon, the IT workload at the bank-which employs 13,000 people at hundreds of branches in more than 40 U.S. states-surpassed the staff's ability to keep up.

At times, it seemed to Leach as if the majority of the 15,000 to 17,000-plus phishing reports filed monthly with the Anti-Phishing Working Group involved First Horizon. "What we're really selling is trust," he says, "so we had to do something. The nature of phishing attacks is global so we knew we needed a global approach to succeed."

Leach signed on for a month trial of Symantec's Online Fraud Management Solution. The result: Phishing attacks went from five million emails monthly to several hundred, only a few of which were ultimately received by customers.

"Symantec got in front of the attacks," Leach says. "For those few that did get through, we were able to focus our time and energy on remediation." More than one-and-a-half full-time employees, previously deployed to manage phishing fraud, are now redirected to more valuable activities.

Moving forward

Now, with an ever-evolving threat landscape that not only includes spear-phishing (attacks targeted at specific companies) but also vishing (attacks on VoIP), First Horizon has developed its own metric matrix to assess and manage risk. The matrix measures the customer impact should a system, application, or similar resource fail. Included are the legal and regulatory risks and impacts, risks to reputation, and overall threat environment, Leach says.

"The threat environment includes electronic threats such as active virus and worms as well as political and geopolitical threats, such as Homeland Security threat levels," he says.

Business processes are categorized. Within the categories, each technology is placed into criticality tiers.

"The higher a business process falls into a specific tier, the more controls are put in place to minimize and reduce any impacts," Leach explains.

Some risk is acceptable. "We work with the business to identify risks and determine what the company is willing to accept. We then work with the business to put mitigating controls in place to minimize and reduce any customer impacts," Leach says. With respect to law and regulation, risks are addressed by compliance.

1 2 next>>
Article Finder
>



TOP ENTERPRISE LINKS

ENTERPRISE RESOURCES
Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2007 Symantec Corporation