Alert the Moderator
About this blog
Disclaimer and Guidelines
Day 2 from Davos: Setting the security standards
It’s day one proper at Davos and a sea of lively debates are raging throughout the summit. Often, the informal conversations you have over coffee are far more valuable than the public forums and one of the more interesting themes that came up amongst those I spoke to today was security. I’ve attended several meetings since my arrival and been involved in a number of discussions with banking institutions and business executives about the threats they’re currently facing.
Phishing, phreaking and pharming are now everyday terms and the kind of attacks that are having a massive impact on customer confidence driving the demand for some kind of security governing body. There is a definite feeling amongst delegates that trust is slowly dissolving amongst customers who are getting increasingly disillusioned about the safety of their information with their bank.
I had several fascinating statistics thrown at me in conversation. Whilst three years ago 90 percent of hacker attacks were benign with little dollar impact, 90 percent of hacking nowadays is malicious designed to disrupt data or steal information. One of the newest concepts I heard about earlier was ‘data-kidnapping’ – where hackers break into business systems and block a company from using its data, effectively holding them to ransom.
This provoked fierce debate about accountability amongst many of my fellow delegates. If an online banking customer has his account details stolen and loses money, who is responsible? Is it the user for not keeping his identity secure or is it the bank whose security may have been compromised? Doubtless, this is set to be the biggest driver behind the calls for regulation and standards with banks crying out for guidance from a governing body.
It makes sense. If we have regulators for the Internet, telecommunications and accounting then surely we should have some standards in place for security? Someone to turn to so there is no doubt over where the responsibilities lie or what actions should be taken when a security breach happens.
Technology can be a great enabler in combating the security issues these businesses are facing however it can’t operate in isolation. The responsibility for security needs to be spread between multiple parties and it’s down to regulators, vendors, banks and customers to put their shoulders to the wheel and fight this battle.
I’m sure the security discussions will continue as this week goes on but I’ve noticed that, as anticipated, media coverage around Davos has so far been very much dominated by the issue of climate change. I have an Infosys breakfast debate at 7 tomorrow morning where I’m sure green issues will return to the fore.
Ashok Vemuri - SVP and Head of the Banking and Capital Markets Business, Infosys Technologies
Very interesting issue - thanks for raising it Mr. Vemuri. Specific industries have responded with compliance standards (e.g. the PCI standard for credit card processing). However, the weak link continues to be the errant, corrupt or gullible employee who hands out protected information.
Current approaches look at only external malicious attacks. We need more fundamental approaches that look at the data itself, and provide an envelope of protection around the data, not just around some data access methods. I imagine we will see an explosion of innovation around this area over the next 3-4 years...
Posted by: Rahul Roy-Chowdhury | January 25, 2007 at 05:54 PM
Dear Ashok
The issues you speak of are absolutely critical and we have been researching digital security and digital risk management for nearly 11 years.
Going forwards, we will have to migrate towards triple layer authentication -- something that you are, something that you carry and something that you know.
When you have a few minutes check out D2-Banking:
www.mi2g.net/cgi/mi2g/d2banking.php
With warm well wishes
DK
DK Matai, Chairman,
The Philanthropia, ATCA, mi2g.net
Posted by: DK Matai | January 24, 2007 at 08:23 PM