Keeping Trust Alive

By Mathieu Balez

In meeting rising data security threats, financial institutions must strike a balance between increasing security measures and not compromising the customer-centric ease-of-use that make online services so compelling.

Context

In the late 90s, as the Internet began to settle into the mainstream and pervasive medium it is today, financial institutions successfully drove large volumes of clients to a new suite of web-based services designed to largely supersede the need for a consumer to ever step foot in a physical bank. In so doing, these firms dramatically reduced their cost per transaction while at the same time increasing overall client satisfaction. High satisfaction levels were, and still are, driven by the extreme convenience and ease-of-use that customers experience when paying bills, transferring money, buying stocks and even applying for mortgages from the comfort of their home offices, all thanks to the wonders of electronic technology. Despite this tremendous convenience, web-based financial services would scarcely be adopted if reliability was poor and security perceived as questionable. Establishing consumer trust was key. Early on, strong web browser encryption technology served to assuage most concerns - and trust has generally been strong ever since. New threats to data security, however, suggest that it may be time for financial institutions to revisit their online strategies.

The Problem

The most recent Deloitte study of global security threats indicates that information security has never been under attack as severely as it is today. The numbers are alarming. 100% of Canadian financial institutions surveyed reported having experienced at least one security breach in the past year. Of these, 78% experienced attacks from outside the organization (an increase of more than 50% since 2005) while 49% reported at least one internal breach (up 35% from 2005). These attacks typically involved deceitful emails, fraudulent web pages, illegal software, or the simple stealing of data servers and laptops containing sensitive customer information.

Such electronic security threats, which are increasing in sophistication every day, contribute significantly to identity theft and extortion - crimes which exact a large toll on the economy. In fact, the US Federal Trade Commission estimates that identity theft alone costs businesses and financial institutions up to $48 billion annually. And don't expect the problem to go away any time soon. In our increasingly networked society, more and more transactions are being completed online, exposing users and institutions to greater and greater risk. Further, the proliferation of mobile and wireless devices bring about a whole new set of potential threats and concerns. Most importantly, these rising threats to data security have the ability to destroy in one fell swoop the built-up consumer trust that has contributed so integrally to the growth of electronic commerce over the past decade.

Potential Solutions

One approach to addressing the spectre of escalating information security threats might be for financial institutions to increase security measures on the client-side. This would entail building into their web offerings some form of "multi-factor" authentication (i.e. beyond simply requiring a username and password) that may serve to frustrate at least some of the potential attacks. There is, however, a significant hazard with this solution. Anything that renders the online user experience more cumbersome risks alienating the large majority of clients who have adopted electronic commerce primarily for its ease of use. Moreover, such an approach may inhibit the further growth of online banking into customer segments that have thus far been skeptical of electronic technology. Financial institutions must thus approach very cautiously any changes that may be perceived as negatively impacting the customer experience.

As an alternative solution, institutions might consider the adoption of new information security standards that have recently been developed by the International Standards Organization. ISO 27001, created in late 2005, outlines over 100 best practices for enhanced data security throughout the organization. It should be noted that more than simply adopting new technology, this strategy requires the involvement of the entire enterprise, mandating specific approaches to the assessment, identification and treatment of risk, as well as monitoring and continuous improvement. The scope of the certification can be limited to only those internal divisions and processes that are deemed most crucial. In this way, measures can likely be adopted with minimal impacts on the customer experience if so desired. While these new standards remain largely unproven, large players in the industry have already made their move. In March 2006, the Federal Reserve Bank of NY became the first U.S. organization to be certified ISO 27001. Despite their newness, the increased adoption of standards in the financial industry would at minimum send a clear signal to consumers that institutions are prepared to change themselves in order to face mounting information security challenges head on.

Concluding Thoughts

Unfortunately, the rising threats to data security we currently observe are likely only to increase over time. While these threats have the potential to significantly erode the consumer trust that is required for the continued success of online services, financial institutions must be wary of implementing measures that will negatively impact the simple user-experience that has made electronic commerce so pervasive to date. An emerging opportunity exists to strengthen internal information security practices through standards-based improvements, though these new measures remain relatively unproven. Striking the correct balance between toughened security measures and continued ease-of-use constitutes one of the most interesting and important strategic issues facing financial institutions in the years to come.