I. Introduction
The age of information technology and electronic world has evolved to its highest level. This evolution has brought new concerns to various stakeholders as to the security of information that these they have. These stakeholders can be anything from various individuals to organizations, government bodies or some entities, among others.
It is not anymore the big worry of physical unauthorized access to assets that many were used to get concerned about. These days stakeholders are even more preoccupied that some classified information, the almost intangible assets which are currently considered more vulnerable than other tangible assets, can be attacked and get destroyed or lost.
“Information security requires more than the physical protection of computers.” (Parker, 1984: Wright, 1994) The effectivity of the information security system that a certain entity emposes is a mix of various factors that have been incorporated and implemented. It would require a correct blend of “technological and human controls”(Parker, 1984: Wright, 1994) that would enable the avoidance of any data or information loss, enable the prevention of any unauthorized physical access, be it accidental or intentional, to enable prevention of unauthorized data access, enable detection of loss or impending loss, enable recovery after a loss has occurred, and enable the correction of the system vulnerabilities to be able to deter future similar loss from happening again.
One of the most sensetive group of information that truly needs security and assurance to its confidentiality is in the banking industry. A certain bank, be it commercial or an investment bank, needs its information be secured for a lot of reasons: a bank needs to be secured not only for its customers and stockholders but as well as for the integrity and reputation of the industry itself, for the sake of the national economy and to many other reasons.
II. The Bank’s Highly Confidential Information and How Can It Be Secured?
Banks have a lot of valuable information. It is very true because what the banks keep are generally the most liquid and most usable of all assets: cash! Although, cash is the most obvious element when bank is being discussed, the security behind keeping this cash intact, or the so-called physical security, for the depositor is one big responsibility that bank has to deal with. Other security responsibilities such as electronic and information security together with network or cyber safety must be taken into consideration as well because these measures also help in keeping the main assets in safety.
Following are some of the highly confidential information a bank must secure:
1. Customer information such as name, address, account number, amount of deposit, amount of loan, bank Persnal Identification Number (PIN), beneficiaries, specimen signature, etc.;
2. Trade secrets, internal rules and regulations and other strategic training modules, materials, plans, etc.;
3. Database information such as main site, back up site, building plan and layout, etc.;
4. Bank plans and goals against its competitors and innovative ideas for growth and development;
5. Website information and programs to prevent defacing of its website and other real-time applications.
Some of the listed information may not sound as important and sensetive as they are but all the same, they need protection against unauthorized access. What the bank should generally do to have ideal security system for its information?
1. Develop a strong internal control system for its own operations. This is a security measure from within the organization or within the entity itself that gives only access to those personnel who are authorized to view and change certain types of information. At this level alone risk of information loss or sabotage is already minimized. Can you imagine an employee pretendng to be a janitor and yet deeply examines reports for tha annual gain or loss of the bank intended to be read by managers alone? Or that same janitor reading the bank’s five (5)-year strategic plans to beat its competitors? That is weird and suspicious, right?
2. Physical security of its databases and bank premises itself should be safely guarded. Aside from the obvious risk of asset loss, information sabotage, leakages or destruction should be secured too. This includes keeping databases’ location not known to so many people as possible, setting human guards and electronic alarms or screening anyone trying to work with the bank’s information. This also include adherence of the bank to high standard of physical security in its premises and any place where its valuabke information are physically stored. This means setting of monitor cameras or closed circuit televisions (CCTVs), alarm systems in cases of emergencies, and biometric passes for prevention of unauthorized access, among others.
3. For its online security, the bank should have inhouse support, composed of programmers, engineers, technicians or computer and Information Technology (IT) scientists, for its IT-related needs to constantly guard its own information and applications against malicious access and attacks.
Moreover, the online transactions that the bank enters into should be highly secured by using up-to-date gadgets, softwares and applications that can assure its stakeholders that safety is in its course.
III. Accessing the Bank’s Information
It is not a problem to have the correct information be accessed by the proper individuals. The problem arises when unauthorized and malicious access happens. This can be done physically, and with today’s modern gadgets, remotely and electronically.
Physical access through actual presence in a place is easier to detect and control because the one who is trying to access is visible to the naked eye. All the same however, security measures must be done because even that bank personnel sometimes override the bank’s security rules and they take advantage of both the information or the asset they can put their hands to. As Lineberry (2007) put it, “the human element (is) the weakest link in information security.” Thus, more measures should be taken into account: do not trust anyone!
In terms of electronic access, it is more of a complicated issue in security because in this case, the source of the attacker or unauthorized access may be traced back but that is only possible with the premise that the bank’s IT personnel themselves are good with their own work coupled with superior technologies in use. Some of these technologies and gadgets are Radio-Frequency Indentification (RFI) and firewalls.
IV. Getting Hacked and Its Consequences
Hackers these days exist for so many reasons. Material/monetary reasons are the first in the list. In fact, according to Hinojosa, (2005, p. 36) the cyber threat is “worsening due to the addition of criminal elements that are now hiring technical experts to develop new attack methods on a for-profit basis.”
When an entity is successfully attacked by hackers, say the bank, aside from the negative publicity it gets because it was hacked, it also has to suffer other more painful consequences:
(1) Loss or destructed data. This happens when the hacker has no other intention but to destroy or steal the data/information that the bank has;
(2) Lost customer/client or investors’ trust. This would be the consequence when customers/clients and investors together with other stakeholders discover the fact that their bank’s information were accessed forcefully. This leads to lesser profits;
(3) Financial losses due to lost information. These losses such as cost of recovery or the monetary equivalent of information is a big expense for the bank;
(4) A weaker standing in competition that may be caused by hacker’s selling information to competitors; and
(5) Direct asset loss if the information acquired by hackers could be used to manipulate bank information such as fund transfers and deposits.
V. Conclusion
Information technology is for the advantage of mankind. However, proper usage and caution should be put into place when an entity, such as banks, want to be heavily reliant on such technology. Banking industry is one of the heavy user of cyber transactions thereby opening a door to hackers.
To prevent hackers from accessing valuabke information owned by an entity, a proper information security system must be built. This however is much easier said than done. A combination of many factors is needed for the system to properly succeed and work at the advantage of the entity. Investment money is needed for the technology (software and hardware) and peopleware in setting up the security system that can facilitate the entity’s existence and operations. However, this cost is not a useless expense and should be tied up and matched with the benefit that it causes: a secure and lasting banking entity.
Security means reliance. A company with proper security system, be it information security system or operational security system, or any security system for that matter is a trustworthy entity that clients and investors love. In the long run, these security systems give a good name to the entity, encoutìrages more client and maintains safety to the entity and its assets prolonging its going concern principle.
References
Hebb, G. M., & Fraser, D. R. (2003). Conflict of Interest in Commercial Bank Security Underwritings: United Kingdom Evidence. Quarterly Journal of Business and Economics, 42(1-2), 79+.
Hinojosa, P. (2005). Information Security: Where We’ve Been and Where We Need to Go. T H E Journal (Technological Horizons In Education), 32(7), 36.
Lineberry, S. (2007). The Human Element: The Weakest Link in Information Security. Journal of Accountancy, 204(5), 44+.
Wright, M. A. (1994). Protecting Information: Effective Security Controls. Review of Business, 16(2), 24+.