Safeguarding Financial Institutions

In 2006, the financial services vertical in the U.S. purchased US$1.9 billion in electronic security, guard services and physical security equipment such as safes and vaults, according to an ADT-commissioned McKinsey research report. Similar amounts are being spent in Europe and East Asia. A&S talks to major security players about the threats financial institutions are up against today.

What potential threats and security problems do financial institutions face today? According to Chris Carney, Business Development Manager, Banking, ADT Security Services, based on a survey of about 50 senior financial security officer attendees at the 2007 ADT Financial Security Symposium, the following were the top-ranked security and risk concerns: check fraud, bank robberies, ATM card skimming, identity theft, workplace violence, internal fraud (embezzlement, theft), external fraud (loan, card fraud, electronic crimes), burglary, ATM and night depository attacks, armored car attacks, and business continuity and disaster recovery. ADT is one of the top U.S. security providers for finance, along with Diebold, Hamilton Pacific and Securitas, according to the McKinsey report.

Eric Koh, General Manager, Cash and Valuables Security at CERTIS Cisco, reported cases of financial losses due to inadequate physical security pale in comparison with those suffered by check fraud, attacks on customers, kidnapping and extortion of key bank employees, embezzlement by insiders and outsiders alike, credit card fraud, loan fraud, unauthorized electronic transfers and advance fee schemes, identify theft, fraudulent telebanking and Internet transactions, and money laundering. ¨Use of cloned and stolen ATM cards or customer information is a very real concern facing banks today.〃

These threats have been further aggravated, he said, by the easy access of information on the Internet to plan such activities, increasing reliance on global outsourcing of core operations, and consolidation of bank and other operations centers as a result of merger and acquisition activity.

¨At the institutional level, however, the most persistent security threat, is the insider who might use authorized access to confidential information or operating systems for self-interest and profit,〃 Koh said. ¨Banks and financial institutions will need to continuously employ comprehensive and intricate systems of internal controls to counter this threat, but the knowledgeable insider bent on corruption is difficult to stop.〃

Banks Respond

Both enhanced physical and logical security will be needed, said Jafizwaty Ishahak, Industry Manager, Smart Cards and AutoID (RFID and Security), APAC for Frost & Sullivan  a global growth consulting company. ¨Banks and financial institutions in the Asia Pacific market,〃 she said, ¨have been opening up more to high-end access control systems and physical security solutions despite cost issues."

Growing economies and liberalization of markets in many countries, and a growing concern over security has led to this change, Ishahak said. ¨The sheer size of the market and low penetration in the past provide a huge market potential for security systems in the region.〃

The region, she added, is also home to numerous access control system component manufacturers in the low-end market, especially in China and Taiwan. Hence, the price of cards, readers and security solutions in the region is relatively much lower than in North America or Europe.

Increasing terrorist activities are driving adoption of both physical electronic access control (EACS) and video surveillance, and other physical security solutions. ¨There are various types of keys used in EACS,〃 Ishahak said. ¨In 2007, keypad and proximity cards still held the largest share of physical access control key market because they were cheaper.〃 The market for keypads, though, is shrinking with introduction of more advanced technologies such as contactless smart cards (known for the ability to host more than one application), biometric and integrated keys (contactless smart cards and biometrics).

¨There is increasing adoption of stand-alone biometrics,〃 she said. ¨In Japan, for example, more than 20,000 ATMs have palm vein readers. The region is likely to be the fastest-growing for card technology, biometric readers and integrated keys in 2008 (estimated growth rates of more than 6 percent and beyond).〃

According to Ishahak, many countries in the Asia Pacific are converting to EMV (smart card-based payment cards) to prevent fraudsters from migrating to perceived ¨laxer〃 security environments. ¨Malaysia,〃 she said, ¨is lucky to have completed the migration exercise by 2004. Malaysia was among the first to migrate to chip-based smart cards for all banking (ATM, payment, credit and debit cards).〃

Then, she said, Malaysia had only 18 million cards (12 million ATM and 6 million payment and credit cards). In contrast, Korea has more than 100 million cards. Other Tier-1 countries include Japan and Taiwan. Tier 2 includes Australia, Singapore, while Tier 3 is Indonesia, India and China.

Video surveillance in the Asia Pacific region is also a high-growth industry, estimated at more than 28 percent growth for 2008. Total video surveillance growth, Ishahak said, is expected to come from different markets. In 2007, the bulk of the revenue came from China, South Korea, Australia, Taiwan, India and Macau. ¨The market is dominated by analog camera deployment from the price standpoint. It will, however, not be long before IP replaces analog.〃

Nuts and Bolts

According to Charle s Loh, Managing Director, CERTIS Cisco Security Consulting, physical security measures such as high-security vaults, integrated security systems and response forces will continue to be important in containing the very real threats of bank robberies and burglaries.

¨Over the last decade,〃 Loh said, ¨especially with the advancement in technology, the minimum standards for physical security (under banking regulations) have been eliminated. As such, the responsibility of determining which security devices will best meet the needs of each individual bank branch office or institution is now placed on the management of these entities.〃

Regardless of the approach, the four key provisions for protecting the financial vertical, Koh said, include the following: a secure place for storing cash and other valuables, illumination systems, alarm systems and tamper-resistant locks.

The banking industry has also increasingly leveraged on the latest developments in security technology and systems to protect their premises, he said. ¨There has been a shift in focus from the traditional emphasis on security devices to increasing significance of administrative and procedural aspects of security solutions.〃 The banking industry has institutionalized the need for designated security officers and authorities in implementing policies across all staff and line departments.

Renewed emphasis, Koh said, has also been placed on procedural issues. This may include any of the following: procedural security measures relating to opening and closing of business, safekeeping of valuables and protecting integrity of customer information or those that assist in identifying risk situations, such as preservation of evidence. Then, there is training of employees in relation to responsibilities, behavior during and after security incidents, and a process for selecting, testing and operating security systems and devices.

From the perspective of physical security, Loh said, access control, intrusion detection systems (IDS) and CCTV surveillance systems are still basic but important systems. ¨Technology today,〃 he said, ¨provides higher resolution, throughput and storage capacity at lower costs. As such, banks should opt for higher quality cameras, recorders and storage media devices.〃

Surveillance systems, Koh said, are just one of the measures implemented to minimize risk at self-service banks. In addition to surveillance systems, crime prevention through environmental design strategies ensure the following proper situation, lighting, natural surveillance, landscaping, and mirrors at strategic locations coupled with strong customer education and awareness programs.

To protect ATMs, Carney said, banks need video surveillance, anti-skimming and lighting. For entrances, they require video surveillance, access control, lighting and intrusion detection. At vaults, they need video surveillance, access control, panic buttons and intrusion detection. For operation centers, key features are video surveillance, access control, panic buttons, intrusion detection, firewalls and heightened network security.

Integration: A Crucial Facet

The ADT layered approach, with a bias toward standardization of security technologies across facilities  while remaining flexible  stresses integration. ¨As an integrator,〃 Carney said, ¨ADTˇs role is to evaluate and understand the specific risks that our customer banks and financial institutions face. Then, after careful analysis, we combine our portfolio of technologies and services, as well as those of qualified third-party partners, into solutions that mitigate customer risks as cost-effectively as possible.〃

Integrated features among the various subsystems, Loh said, should be considered as much as possible to achieve work efficiency. For example, ATM transaction logs can be tagged with CCTV images for ease of investigation. IDS alarms can be integrated with CCTV to bring up relevant images and trigger audio features for surveillance verification. Banks and financial institutions should also tap into the benefits of using networking systems to provide swift remote access to the system as and when required. Banks could also leverage this equipment for quality management and customer service.

It should be remembered, however, that security products and technologies are but one component of an integrated security system. To be effective, design of an integrated security system must be based on a thorough risk assessment and solutioning derived through an optimum integration of man, machine and method (collectively known as M3), Loh said. ¨This is CERTIS Ciscoˇs holistic approach toward protecting our customersˇ businesses and assets for their total security and peace of mind.〃

A well-designed, integrated security system effectively deters, detects and denies any possible attack on the financial institutionˇ s assets, he added. As such, it must address the operational needs of the financial institutions. Technical specifications are subsequently prepared to support these operational needs.

¨Engaging competent security consultants,〃 Koh said, ¨is the best way to ensure that technical specifications prepared are able to meet performance requirements. The specifications should be brand-neutral. If the financial institution invites a tender for a security service provider, it will make the final decision in consultation with the security consultants.〃

Trends

IP-based solutions, Koh said, are the trend that is dominating the financial services segment. ¨This is fundamental as financial institutions operate at various locations and across the globe. Bank branches, ATMs and data processing centers are key assets that need protection. IP-based solutions definitely provide advantages of networking various systems into a shared and integrated platform. Network cameras, recorders, intrusion controllers and access controllers have the capability for integration, remote access and surveillance. Integrated platforms provide users with effective and efficient security management, and processes for case management and investigations.〃

Virtual private networks are another trend. As banks and financial institutions pose unique challenges, said Allan McHale, Director of i & i, the security issue that transcends over any other is the security of information and need for trusted communications. For this reason, the IT staff is very much involved in the purchasing decision of physical security systems becasue the staff is in control of networks that the physical security system wants to sit on.

As, however, IT professionals are generally averse to endangering networks, they frequently decide against sharing them with security and building management systems. ¨While sharing a common network is quite common in prestige buildings in other vertical markets,〃 McHale said, ¨there seems little point in trying to convince the financial sector that they are the ones out of step. The companies that are succeeding in the financial market are the ones coming up with a solution that satisfies them.〃

It is for this reason that he recommends new solutions, such as virtual private networks (VPNs), which provide the important security of data that they demand, despite being more expensive. They allow convergence with the business enterprise to provide a much richer seam of information, generating a better return on investment. Carney sees industry trends toward convergence from analog to digital technologies, especially those based on the Internet protocol (IP). Related to this is convergence of physical and logical (information technology) security.

¨These two trends,〃 he added, ¨are having huge implications for banking security as IP-based networking can enable much more centralized management of security systems across widely distributed geographic locations. Its scale helps drop the cost of components, while raising price performance ratios of solutions and optimizing operational efficiencies.〃

IP-related programming techniques, he said, can enable Web services to play a role in integration of physical and logical security to enable better communications, faster responses, higher productivity and lower costs. Other positive trends are standardization of security components, systems and processes that make up a bankˇs enterprise security footprint and outsourcing via managed services to deliver operating expense savings to the institutionˇs bottom line.