Introduction
Information Technology (IT) is among the 21st century undertakings that have changed how financial organisations conduct their business in the sophisticated and fast-paced business environment. To most industry commentators, IT use came at an opportune time when global financial dealings needed some enhancement in order to increase the speed, efficiency, and reliability that accompanied such dealings (Meyer, 2000). True to the technological determinism concept advanced by Nelson (2005), financial organisations that use IT are able to provide market knowledge to their customers fast, efficiently and with enhanced reliability. Consequently, they are more competitive, especially considering that customers are attracted to financial institutions that use technology to ease financial processes (Nelson, 2005). In addition to enhanced transaction efficiency, the use of IT in financial organisations has made enforcing contracts between customers and the financial institutions a much easier process. Consequently, the two parties (i.e. the financial organisation and the client) do not have to be physically present when entering into a financial contract.
The use of IT in financial organisations has however brought about new risks, which ought to be managed effectively if such organisations are to survive. According to Oldfield and Santomero (1997), IT-related risks, just like other risks, can be mitigated by elimination or avoidance; transfer to other participants; or by active management at the firm level. The practice of elimination or avoidance is ideal when dealing with risks that are “superfluous to the institution’s business purpose” (Oldfield and Santomero, 1997, p. 4). Transfer of risks to other participants on the other hand is an ideal practice where the financial firm can buy or sell assets for purposes of concentrating or diversifying their risk portfolios. For example, if an asset held by a financial firm does not have a comparative advantage, then the firm can sell it in order to get rid of the attendant risk associated with it. In cases where the risks cannot be eliminated, avoided or transferred, a financial firm would have no choice but to manage it actively at the firm level. In financial firms, assets that hold a high moral hazard, or those that cannot be hedged or traded easily have risks that can only be managed effectively at the firm level.
The use of IT in financial firms no doubt compounds the risks that such institutions face. Specifically, and in addition to the traditional financial risks that such organisations have to deal with, there other forms of risks as revealed by Boran (2003). In his research article, Boran (2003) found out that financial institutions are exposed to money theft, damage of software, information theft, data alteration, services theft, and trespass. This paper will concentrate on three of the risks identified by Boran (2003), namely Money theft; information theft; and data alteration. The paper will focus on how security managers in financial organisations can eliminate, transfer or manage the risks in the three identified risk areas. In the end, the paper concludes by observing that IT is ever changing and so do fraudsters and hackers; to remain secure against risks that are brought about by the use of IT therefore, financial institutions must be willing to invest in risk assessment, risk analysis and risk mitigation strategies.
Managing IT-related risks in Financial Institutions
Effective risk management involves the “analysis, planning, implementation, control, and monitoring of implemented measurements” in each risk item (Nikolic and Ruzic-Dimitrijevic, 2009, p. 595-6). Stoneburner, Goguen and Feringa (2002, p. 2) on the other hand defines risk management as the “process of identifying risk, assessing the risks, and taking steps to reduce risk to acceptable level”. Based on the two definitions, it is clear that a firm decides whether the level of risk is acceptable, or whether there is need to employ measures that would enhance its acceptability at a firm level, based on the results obtained after carrying out a risk management exercise. Financial firms should ideally identify, analyze and evaluate the risk impact posed by their IT infrastructure in order to come up with suitable mitigation measures and controls based on the results of the risk management process.
As Nikolic and Ruzic-Dimitrijevic (2009) observe, IT security is a generic term that describes different aspects such as computer virus protection, data integrity and backup, infrastructure security (i.e. the server room, protective cabinets, workstations etc), IT systems including the servers and clients, and other applications such as email and websites. As such, the security manager in a financial organisation should consider all the different aspects of its IT infrastructure when carrying out a risk management audit.
The risks posed to an IT system in a financial organisation may have financial consequences, but can also affect the integrity of data, employee performance, and may cause the organisation some negative internal and external effects (Nikolic and Ruzic-Dimitrijevic, 2009). Further, the threats posed to the organisation’s IT infrastructure can be deliberate in nature, although they may also occur as a result of technical failure, human error, organisational shortcoming or force majeure (i.e. an unexpected occurrence caused by a greater force). Whatever the cause however, a financial organisation needs to employ safeguards on different fronts in order to eliminate, avoid, transfer or effectively manage any resultant risk.
The risk of money theft
Most people associate financial institutions with money, and rightfully so. According to Hasan et al. (2011), financial institutions and their clients are a good target for cyber criminals, who send then emails and/or viruses with phishing content. Such messages target the financial goods and services handled by the financial organisations and their clients. Should the attackers discover some vulnerability in the firm’s IT infrastructure, Hasan et al. (2011) observes that they “will continue to exploit it, possibly with escalating degrees of damage”. Among the most prevalent way that attackers engage in money theft is by getting access the credit or debit card details, and using them to access, and withdraw funds from their victims’ accounts.
According to Hasan et al. (2011) money theft is a vice that, most often occurs with some input from employees of an organisation. The revelation by Hasan et al. (2011) is reinforced by Krishna and Inscoe (2009) who argue that internal fraud accounts for the largest percentage of monetary theft in both IT-enabled financial dealings and traditional financial transactions. Such observations underscore the need for financial firms that have established IT platforms to identify internal threats posed by employees and other parties privy to inside information, as a viable risk.
From the clients’ end, the management of the financial institution must also enhance the information security by ensuring that clients are guided on how best to secure their accounts. For example the National Audit Office (2006) states that the clients can be trained on the appropriate use of virus controls and unique passwords among other measures as ways of securing their financial information on an IT-mediated platform.
Hasan et al. (2011) argues that the risk of money theft via IT-enabled platforms can be eliminated, reduced or managed through adequately training employees. Specifically, employees must be trained on how to identify and handle a potential attack, Secondly, passwords used while gaining access to financial accounts or related information must be chosen well, and changed frequently. Among the viable ways of protecting unauthorized access to one’s financial accounts is by ensuring that the passwords meet a set length criteria, number-letter combination, and must be changed from time to time. User accounts for employees who leave the financial organisation either voluntarily or involuntarily must also be terminated immediately. According to Hasan et al. (2011) terminating such accounts eliminates the possibility of former employees gaining access and compromising the integrity of information contained in the systems.
The management of the financial organisations also has a major role to play in managing risks associated with money theft. As Nelson (2005) argues, the management of any organisation has the ultimate responsibility of securing it against external and internal threats. Hence, the management should be attentive to security issues, and should strive to reinforce the importance of IT security by effectively communicating the same to departmental heads, and following up on any initiatives that seek to mitigate related risks (Hasan et al., 2000). Additionally, the management can “instil a sense of urgency” at a firm level, thus alerting employees about the need to report any suspicious issue to the appropriate department (Hasan et al., 2000, p. 3).
The security manager further needs to ensure that the financial institution has an information security program put in place to identify and assess all risks associated with IT-enabled financial products and services. Additionally, such a program should identify the mitigation actions appropriate for the different risks. According to National Audit Office (2006), financial institutions should not just rest at having security programs for identifying risks and mitigation actions; rather, they should also be proactive in measuring and evaluating customer awareness regarding the risk of loosing money through identity theft, and how best to safeguard themselves against the same.
Overall, the risk of money theft via IT-enabled technologies is prevalent in cash management system, online retail baking, online consumer financial, corporate banking, card services, merchant services, and private banking services among others. The common denominator amongst all these services is that they are IT-enabled, thus meaning that all risks associated with an IT infrastructure applies to them too. According to RSA (2008), eliminating, minimizing or effectively managing risks associated with money theft on an IT-platform can be enhanced through implementing an appropriate “level of authentication and encryption, security event management and fraud detection” (RSA, 2008, p. 5). However, considering the constant change in technologies, and the constant attempt by attackers to access the financial firms’ systems, the security measures need to be updated on a constant basis. Financial organisations can use passwords, digital certificates (especially in public key infrastructure (PKI) platforms), one-time passwords, personal identification numbers, biometric identification and other techniques to guard their systems and their clients from excessive money theft risk exposure.
When compared to the risks posed by information theft and data alteration as discussed hereunder, money theft may appear like the most minor of the three risks especially if the amounts of money stolen is not huge, and happens as a one-time occurrence. Often times, the risk of money theft on an IT-mediated environment targets individual account holders and may therefore not extensively affect the financial organisation. Money theft may however be an indication that either the client or the financial institution has not employed the necessary risk mitigation measures such as using strong passwords, and verifying clients’ identification before authorizing monetary transactions. The Federal Financial Institutions Examination Council (n.d.) for example observes that without exploiting weakness that exist in identity or password authentication processes, fraudsters who thrive on money theft would not have another opportune way of assessing their target accounts. In data alteration and information theft however, fraudsters still have multiple channels they can use in order to attain their intended purposes.
The risk of information theft
Information stored in a financial firm’s network could have financial data, human resource files, legal documents, account information, transaction information among other details. Based on such contents, RSA (2008) observes that such information is among the most valuable assets that financial organisations have. Knowing the importance of such information, attackers are usually trying to hack into the system in the hope of gaining access invaluable business information about the target financial organisation. Should they succeed, RSA (2008) observes that the business continuity and integrity of the target organisation would be greatly disrupted or jeopardized. Among some of the prevalent threats to information include data/system contamination, espionage, “improper disposal of sensitive media/scavenging”, insertion of malicious software, code, or modification of database, misuse of weaknesses in the software, tampering, and saturation of systems among other things (Hasan et al., 2000, pp. 9-10).
Hacking is identified as one of the most common method that people use to get unauthorized access to information. According to FLSmidth Automation (2009), hacking is the unauthorized access into a firm’s database through circumventing any security controls. Hackers usually work from a remote location and their actions are done with a specific purpose in mind. Often times, hackers who target financial institutions usually do so with the purpose of gaining access to financial information, which may include financial accounts and records. With such information, they can instigate unauthorized transfer of funds thus leading to money theft as discussed above.
The risk of information theft is also high in financial institutions that do not take the necessary measures to guard the confidentiality of their databases. As ISO (2007) notes, phishing, use of spyware and social engineering is increasingly being used by fraudsters who find an easy target in systems that have not used high security measures to guard their systems. The use of firewalls and Anti Viruses are some of the basic risk management measures that security managers can use in a financial institution. However, it is worth noting that they (Firewalls and Anti Viruses) do not provide absolute protection against fraudsters and hackers. The security manager should therefore always have secure backup systems, which should ideally be immune to security threats. As FLSmidth Automation (2009) notes, secured backup not only enables a financial organisation to recover data, but also enables the firm to secure security-intensive data.
Computer output inform of printed report, magnetic and optical files, and screen outputs over communication networks are also other avenues that information thieves may use to access financial data from unsuspecting institutions (National Audit Office, 2006). To manage such risks, a security manager has to ensure that computer output is secured and only initiated by authorized individuals. Additionally, any printed material must be filed and stored securely, and where it is no longer needed, such output must be destroyed.
The risk of information theft by insiders is also a common threat that security managers in financial institutions should consider. Like numerous other sectors, employees in the financial sectors are not without their weaknesses. Krishna and Inscoe (2009) rate fraud by employees as the commonest type of internal crimes in financial institutions. Banks are especially prone to information theft by employees, but other organisations such as insurance firms, retail firms and brokerages are not without their fair exposure to the same risk. Based on the views expressed by Krishna and Inscoe (2009), security managers in financial institutions should therefore find an effective way of managing the risk associated with internal fraud. As Nelson (2005) aptly sums up the risk of information theft, “the real threat is not the technology, but humans that use the technology” (p. 59). Humans will take whatever technology is available to them and use it either for good or evil. The bulk of the responsibility therefore lies with security managers in financial organisations to ensure that their systems cannot be penetrated by unauthorized users who may want to engage in information theft.
The risk of data alteration
Data alteration can either be deliberate or unintentional. Whichever form it takes, data alteration usually jeopardizes the integrity, confidentiality and availability of data (Elky, 2006). In financial institutions, the alteration interferes with the “produced, processed, controlled or stored” data in the processing systems (Elky, 2006, p. 3). Just like information theft, Data alteration is a risk often posed by human threats. Among the major differences between information theft and data alteration is that while the latter may either be deliberate or accidental, the former is always deliberate. Notably, data alteration occurs through inadvertent data entry, or deliberately through attacking a financial institutions’ network, launching a virus infection, and gaining access to the financial organisation’s systems without authorization (National Audit Office, 2006).
Vulnerabilities that make data alteration to take place include the lack of clear contingency directives and procedures in the organisation level; lack of defined and tested contingency plans; lack of adequate contingency training; lack of information backups; inadequate system recovery resources; lack of substitute storage or processing sites; and lack of alternative communication services (Elky, 2006). System changes made by newer IT personnel on existing infrastructure (usually designed and implemented by a different team of employees) also account for a significant number of vulnerabilities which expose the system to the risk of data alteration (National Audit Office, 2006). The problem is complicated by the interconnectedness nature of IT systems, which makes changes made to a single component affect entire information systems. The National Audit Office (2006) therefore recommends that any changes to systems should be managed carefully and objectively, preferably with consultation with the team that had initially designed and implemented the system.
Usually, unmanaged or badly managed changes in the system lead to malfunctions, where financial data is corrupted to the extent of becoming unusable. Alternatively, changes can lead to system failure thus meaning that the financial institute is unable to maintain or update the financial records. The changes may also make the system increasingly unreliable (Elky, 2006). Notably, increasing unreliability can only occur when the system is poorly managed over time thus compromising its quality, and making its more vulnerable to internal and external data alterations. The National Audit Office (2006) thus notes that the risk of data alterations makes fraud and system misuse a real threat to financial institutions, and is hence perceived as a major threat to business continuity.
Financial institutions that have a high risk of data alteration are exposed to higher threats of unauthorized changes in their financial information and their clients’ financial statements, and such may include the destruction or alteration of financial data. In other cases, people with unauthorized access may alter may induce system failures by configuring logical access controls.
Luckily, financial organisations can identify vulnerabilities in their systems by using vulnerability scanners, penetration testing, and the review of management and operational controls as suggested by Elky (2006). However, these controls are not without their own vulnerabilities. Hence, financial institutions using IT-mediated environments should employ outmost caution and remain alert to any attempt made on their systems either internally or externally. Among the best ways identify attempts made on the system is by maintaining a log of attempted logs, failed attempts and successful login (Nelson, 2005). The security manager in the financial institution can then refer to the logs when formulating a risk management plan by identifying the most failed attempts as having the greatest risk to the system.
Conclusion
Just like other organisations operating in the sophisticated globalised market, financial firms cannot resist the use of IT-mediated infrastructure. Unfortunately, IT systems have their fair share of disadvantages with the increased risk of money theft, information theft, and data alteration being just a few. Following closely in the technological determinism concept as identified in the beginning of this paper, the financial organisations perceive the use of IT is one of the best ways of enhancing their competitiveness. Hence, internet banking, ATMs, voice response systems, smart cards, bill pay and even cell-phone banking are becoming commonplace exponentially. Information technologies however diversify the risks associated with financial institutions to include more ‘advanced’ types of risks. Hence, in addition to managing traditional risks, financial institutions are increasingly adopting new risk management strategies and approaches in order to protect themselves from internal and external threats. As observed elsewhere in this paper, financial organisations can use passwords, digital certificates (especially in public key infrastructure (PKI) platforms), one-time passwords, personal identification numbers, biometric identification and other techniques to guard their systems and their clients from excessive risk exposure. The choice of protection that an organisation uses however depends on the results obtained from the risk assessment, analysis and mitigation processes.
Overall, it is worth noting that IT is ever changing and so do fraudsters and hackers. To remain secure against risks that are brought about by the use of IT, financial institutions must be willing to invest in risk assessment, risk analysis and risk mitigation strategies. It is worth noting that risk management especially in the sophisticated IT-mediated financial organisations may not be a cheap undertaking. However, remaining ignorant and unprotected against the same risks may be an even more expensive thing to do since it may lead to financial losses, loss of invaluable organisation data, and even the loss of an entire financial system. Any prudent financial organisation would therefore make a choice to manage IT-related risks, the associated costs not withstanding.
References
Boran, S 2003, IT security cookbook, Boran Consulting, Blonay, Switzerland.
Elky, S 2006, An introduction to information system risk management, SANS institute InfoSec Reading Room, pp.1-14.
Federal Financial Institutions Examination Council, n.d., Authentication in an internet banking environment, Web.
FLSmidth Automation 2009, Security risk assessment, Web.
Hasan, H, Underwood, D, Even, L, Pulse, E, Kondisetty, S & Andrews, W 2011, Information technology risk management for financial institutions, Web.
ISO, Top information security risk for 2007, Web.
Krishna, B.C & Inscoe, S 2009, Insidious: how trusted employees steal millions and why it’s so hard for banks to stop them, Memento Press, San Francisco, CA.
Meyer, L. H 2000, Why risk management is important for global financial institutions, Central Bank Articles and Speeches, Bangkok, Thailand, Web.
National Audit Office 2006, Review of Information System Controls- notes and supplementary questions, NAO form 905, pp. 1-36.
Nelson, J.A 2005, Information security risk in financial institutions, World Academy of Science Engineering Technology, Web.
Nikolic, B & Ruzic-Dimitrijevic, L 2009, Risk assessment of information technology systems, Issues in informing Science and Information Technology, vol. 6, pp. 595-615.
Oldfield, G.S & Santomeri, A. M 1997, The place of risk management in financial institutions, Wharton Financial Institutions Center, Working Paper Series, pp.1-39.
RSA 2008, Information risk management for the financial services industry, RSA Executive Overview, Web.
Stoneburner, G, Goguen, A & Feringa, A 2002, Risk management guide for information Technology systems, National Institute of Standards and Technology, Special Publication 800-30, pp.1-41.
