Loading ...
By now everyone heard of, or should I say felt, the impact of the Sub-prime crises on the economy as a whole and on US financial institutions. In particular, the big banks have been affected by having to write off billions of dollars in losses.
In order to help restore their balance sheets, these institutions are announcing extensive expense reductions, particularly layoffs. Of course, the details of these cutbacks are not announced, so the result of this situation on their information security cannot be known. However, there are three results that are quite feasible in this situation.
- First, the staff reductions likely include security personnel.
- Second, the capital spending reductions may include security infrastructure.
- Third, and perhaps most important, the number of “insiders” (i.e., employees and contractors) who have a motivation to cause harm to their employers will probably increase.
This could be a volatile mix. The damage that such disgruntled insiders can do is magnified by the financial size of these institutions, especially if coupled with the reductions described above. The hostile takeover of Bear Stearns (at least from the adversely affected employee’s point of view) is just the most visible example of this situation to date.
In addition to these threats, rest assured that the black hat community is also aware of this situation and will probably intensify their attempts to exploit it. After all, the potential combination of reduced security activity coupled with the increased chance to recruit a disgruntled soon to be laid off employee will be like steak in the shark tank.
So what can anyone do to help the situation from adding to the damage the sub-prime mess has already caused the big banks? Here are my two thoughts.
First, the Audit Committees at these institutions should insist on reviewing any cutbacks in security spending to ensure that they do not increase the bank’s exposure to the increased threat of insider abuse.
Second, the bang regulators, especially the FFIEC should issue guidelines to help bank CISOs deal with their top executives in mitigating this increased risk.
One Trackback
[...] also offers a couple suggestions. Go read the full post to learn more. [...]