Diving into the FFIEC Guidance & What the Future will Undoubtedly Hold
Last week, the FFIEC issued a new supplement to the 2005 “Authentication in an Internet Banking Environment Guidance.” Congratulations to the FFIEC on a well needed update to say the least — especially considering the incredible advances made in the online criminal community over the past few years and the associated breaches and fraud attacks occurring on a near-daily basis. That said, there are a number of experts in the security community who believe the FFIEC guidance fell short in several areas. As reported by Bank Information Security, while leading analysts like the improvement, many point out several shortcomings, including the lack of guidance concerning the mobile and call center channels. Further, they say, ambiguous wording will make enforcement a challenge. Entrust CEO Bill Connor agrees, citing that in the end, it does not provide the concrete actions required to help stop the advanced fraud threats threatening financial institutions today. While the guidance is very prescriptive is some areas — a vast improvement from the 2005 version — what it lacks is consideration for the future. What threats will evolve in the coming months? The coming years? Of course, no one can be certain. But what we do know these threats will evolve quickly to circumvent the security solution that many banks will soon deploy to address this new FFIEC supplement. And where will we be then? Frankly, bank accounts will be compromised, commercial and non-profits organizations will lose money and possibly go bankrupt, and the FFIEC will have its back against the wall, reluctant to issue a new supplement. So, what to do? What can we learn from the new supplement to ensure the investments we make in security upgrades will be “future-proofed” and able to cope with evolving attack vectors? Well, I think there are several clues contained within the guidance that will help.
- Layered security is the foundation for an effective fraud program — Deploy a program that has various types of security controls, at different points in the transaction process, and ensure those controls align with the risk/consequence of a breach. In addition, deploy controls for functions beyond transactions to include system administration privileges.
- Monitor your online systems for suspicious/abnormal activity and anomalies – Seek patterns that either suggest a customer is “behaving” different than usual or patterns indicative of active fraud techniques.
- Conduct frequent risks assessments and adjust security controls to meet evolving fraud threats.
To sum it up, deploy a system that is flexible and adjust it as threats evolve. Maybe that seems too simplistic. But the one thing we know for sure is that change is inevitable moving forward. As soon as a security system is built, it will need to be updated to be effective against the newest threats. Maybe not immediately, but within six to 18 months for sure. And we know that changing a security system will be painful — painful to the pocketbook, painful to deploy and train personnel, and painful to enroll and onboard our customers. Fortunately, Entrust customers will have very little (if any) pain complying with the new FFIEC supplement. Instead of investing in a single-purpose security solution, they deployed Entrust IdentityGuard as the security platform upon which to build, grow and evolve their security program for many years to come. I know I am wading into a product pitch, but that is not my intent. What I am advocating is that FIs must acknowledge that online security threats (including other channels like mobile, call center, ATM, etc.) will continue to evolve. Deploying a “band-aid” solution to address today’s issues is short-sighted, expensive and doing little to truly help secure their customers. Entrust IdentityGuard customers have the option to deploy any one of 14 different authenticators to address the various threats and pain points within their organization. This even includes the ability to leverage mobile devices for advanced out-of-band transaction verification.
As new fraud threats evolve, Entrust security experts are working on new Entrust IdentityGuard capabilities to help defeat them. What new security capabilities will be released in 2012? Well, I either don’t know for sure or am not at liberty to say, but the past five years we have deployed, on average, two new authentication approaches each year to address evolving market needs; needs around security, needs around ease of use and needs around cost reduction. Entrust IdentityGuard is about flexibility — flexibility to meet the varied needs of your retail and commercial clients; flexibility to protect both your customer and your employee digital identities; flexibility to meet your cost targets; flexibility to meet your usability needs; and the flexibility to protect against evolving cyberthreats. So, if you find yourself looking for a platform approach to help your organization meet the 2011 FFIEC supplement, you may want to consider Entrust IdentityGuard. We have a broad range of tools to help you with your evaluation process including Entrust IdentityGuard trial systems and terrific migration and pricing programs.