Sometimes it takes multiple views to really bring a subject into focus.
For financial institutions looking to improve their data protection operations, the findings of the latest Symantec Internet Security Threat Report, Managed Security in the Enterprise Report, and State of the Data Center Report shed light on an increasingly important trend: the decision to outsource IT security.
This article shows how the growth in cyber attacks, mounting losses, the difficulty of providing security, and staffing issues are creating the impetus for IT to adopt managed security services.
By any measure, 2008 was a banner year for cyber-criminals.
In fact, if the latest Internet Security Threat Report is any indication, cyber-criminals have never been busier.
According to Volume XIV of the report, issued in April, attackers released Trojan horses, viruses, and worms at a record pace in 2008, primarily targeting computer users’ confidential information, in particular their online banking account credentials. Specifically, Symantec documented a record 1.6 million instances of malicious code on the Web in 2008. That compares with 624,267 instances in 2007.
Vincent Weafer, Symantec’s vice president of security content and intelligence, put these numbers in perspective in an interview with Reuters.
“Sixty percent of all the [malicious code] threats in the past 20 years came in the last 12 months alone,” Weafer said.
The latest Threat Report portrays a bustling underground economy that is increasingly becoming a self-sustaining system, where tools specifically developed to facilitate fraud and theft are freely bought and sold. These tools are then used for information theft that can be converted into profit to fund the development of additional tools.
“In 2008, 78% of confidential information threats exported user data and 76% used a keystroke-logging component to steal information such as online banking account credentials,” the report said.
Hackers target ATMs
Consider the recent compromise of 20 ATMs in Eastern Europe. UK-based Trustwave reports that malware was able to “capture magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on a compromised ATM.”
The ATMs ran Microsoft’s Windows XP operating system.
According to Trustwave, the malware contained advanced management functionality allowing attackers to gain full control of the compromised ATM through a customized user interface built into the malware. This was accessible by inserting controller cards into the ATM’s card reader.
Said Trustwave in a press release: “This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, PINs, and cash from each infected machine.”
“The fact is, there has been a staggering increase in malware,” says Grant Geyer, Vice President of Managed Services at Symantec. “And it’s not about hacking to gain notoriety. It’s about financial gain. It’s about stealing credentials to sell on the underground economy.”
Small wonder, then, that IT management in large enterprises “is caught between a rock and a hard place,” says Geyer. “Cyber-security is a growing problem, yet organizations are having trouble addressing it.”
Geyer cited a data breach study released by the Ponemon Institute last year which found the average cost of a data breach to be $6.6 7 million, or $202 per consumer record.
According to the latest Managed Security in the Enterprise Report, nearly all of the 1,000 organizations surveyed (98%) have experienced tangible losses as a result of cyber-attacks in the past two years. The top reported loss areas were downtime, cyber-fraud, and theft of confidential information. And organizations expect attacks to increase in the next two years.
Half of those surveyed (49%) also reported that it’s getting somewhat or significantly more difficult to provide IT security. The reasons cited include inadequate budgets, increased regulatory pressures, and staffing woes.
“The data center is at a crossroads,” says Geyer. “Companies are asking IT to pursue dozens of initiatives with fewer resources. The message is: Do more with less.”
Think how security at branch offices is evolving. It has traditionally focused on protecting access to cash. But many retail banks are removing cash from their branches and making withdrawals available only through ATMs. With an increased need to extend interactions with customers, branches are now storing such data as mortgage simulations, account statements, insurance policies, etc. All of this customer information needs to be protected, creating new security challenges.
Security staffing difficulties
IT security staffing is also proving particularly problematic. The Managed Security in the Enterprise Report found that two-thirds of the organizations surveyed said they are understaffed when it comes to security staffing.
The most significant problems affecting staffing are finding applicants with security skills, the availability of funds to hire, retaining employees, and layoffs.
Exacerbating the problem: the existing staff’s skill sets are too narrow, and it’s difficult to retain the best security staff.
“The current economic situation is generating layoffs, and expertise is hard to come by,” says Geyer.
Layoffs also raise the specter of confidential information walking out the door. Recently, both Goldman Sachs and UBS filed charges against former employees who allegedly stole proprietary computer code considered key to their high-speed trading programs. A recent survey by Symantec and the Ponemon Institute found that 59% of employees who lost or left a job last year stole confidential company information.
Cutting costs is key
And don’t underestimate the pressure to cut costs. In many ways, the phrase “doing more with less” could be part of IT’s job description these days, according to the latest State of the Data Center Report.
For this report, Symantec spoke with data center staff in 1,600 companies worldwide. When they were asked to identify their key objectives for the year, reducing costs was by far the most frequently mentioned objective. In fact, reducing costs was mentioned by more companies than the next two objectives combined (improving service levels and improving responsiveness).
The report found that attention has turned to initiatives that will drive immediate cost reduction, rather than longer term ROI-driven programs.
Not surprisingly, the State of the Data Center Report also found that staffing is a big issue, with 36% of the respondents saying they are understaffed. Furthermore, 43% said finding qualified applicants is a “big” or “huge” problem.
Closing the gap
With IT’s ability to provide complete security proving more challenging every day, it’s only natural that more and companies are considering outsourcing.
In fact, more than 60% of those surveyed for the Managed Security in the Enterprise Report are embracing managed security services to bridge the security gap. The reasons cited by IT management include the ability to provide 24x7 coverage, lower overall costs, access to security expertise, and an enhanced ability to mitigate security risks.
Nearly half of those surveyed by the State of the Data Center Report said they outsource primarily to give data center staff more time to focus on other tasks. The top three leading IT functions that businesses are outsourcing include business continuity (46%), backups (43%), and storage management (39%).
Among the benefits of managed security services:
- Minimized risk. Managed services offer 24x7 security monitoring and proactive testing against threats, so institutions can leverage security coverage that might otherwise be cost-prohibitive.
- Reduced, predictable costs. As with any managed service model, there are fewer technology and human resource outlays. And institutions benefit from process efficiencies; for example, compressing and deduplicating email messages for lower storage requirements.
- Better results. Managed security provides state-of-the-art security and compliance technology and the expertise of security professionals. That means fewer security mishaps while meeting strict service-level commitments.
- Improved vendor management. The required monitoring, analysis, and reporting across the entire vendor chain can be easily accomplished through managed services. Institutions can be assured that their partners comply with even the most complex regulatory landscape. That’s important to keep in mind as regulators don’t distinguish between banks and their vendors when it comes to security.
“We find that often companies don’t have the level of expertise to quickly demonstrate an ability to comply with regulations and internal controls,” Geyer says. “Managed security services are a means of achieving consistent security.”
IT departments worldwide are struggling with rising cyber-attacks, mounting losses, the increasing difficulty of providing security, and staffing issues. Recent surveys by Symantec suggest these trends will continue.
As one of the primary industries to be targeted with malicious computer security threats by criminals, the financial services industry is under constant pressure to mitigate exposure to security threats. For an increasing number of financial institutions, managed security services are helping them maintain their reputation for providing a trusted security environment for their customers.
To learn more about Symantec Managed Services, click here.