Identity theft, or phishing, where confidence tricksters lure consumers` financial details from them via e-mails, is one of the fastest growing crimes in countries where financial services companies offer access to their services via the Internet.
Rhys Collins, Financial Services Group insurance manager for Computer Sciences Corporation`s operations in South Africa, says these crimes should ring warning bells for financial services companies whose business strategies include Web services.
One mechanism banks and insurance companies use to compete for market share is Web-based services that make it easy for clients, intermediaries and business associates to access products and services online.
However, Collins adds: "The view that enterprises are separated from the outside world, with a single point of entry protected by a firewall, is outdated. Instead, the reality is that e-business, outsourcing and mobile technologies have blurred corporate boundaries almost to the point of no longer being recognisable as boundaries at all.
"This openness is a security nightmare that financial services companies must confront if they are to manage the risks associated with Web services," he says. "If they cannot effectively manage customers` address authentication, authorisation and audit requirements, there will be no public trust in these services."
The security risks raised by these online services give financial services companies three choices. They can:
* Accept the risks because they believe that the advantages and new opportunities outweigh the risk and additional security is not justified;
* Transfer the risk by insuring against the potential losses that the risks pose; or
* Mitigate the risk by changing the existing information and communication technology architectures and technologies, and changing their business and security policies.
"South African financial services companies are still exploring the security options for Web-based services. It is a new market and they need to be able to trust the technologies before making a considerable investment," Collins adds.
Considering the potential value of financial transactions, the importance of security and the relative immaturity of security capabilities within Web services, some analysts predict that the market for Web-based services security will grow into the tens of billions of dollars worldwide in the next few years.
Currently, neither the core protocols of Web services, nor existing Internet security standards, are robust enough to support Web-services security solutions.
Collins says this has led to an almost "overwhelming desire on the part of architects and developers to invent new security solutions, such as home-grown encryption algorithms or credential passing schemes. The problem is that these solutions face huge interoperability problems and are too often found to have critical flaws that make them more of a threat than a protection.
"Web services will present many companies with the highest security risk of any technology effort they have yet undertaken. Financial services organisations that are incorporating these services into their business strategies should start by deploying pilot Web services internally. Although internal networks are not completely secure, the risk of deploying Web services internally is lower than deploying those services externally," he adds.
"It would also be wise to expose low-risk processes first. Companies can reduce their risk by starting with business processes that are not critical or that do not involve highly sensitive information. Security must be designed into the system from the start, rather than bolted on just before public roll-out."
Financial organisations now accept that phishing is a constant threat to the financial services landscape. They also realise that countering it requires smart technology strategies and good security practices by both clients and organisation staff.
Share
CSC offers the South African market a wide range of services, including systems integration, application and infrastructure outsourcing, and business process outsourcing (BPO), as well as financial services solutions.
In South Africa, CSC also provides BPO services to manage the policy processing and administration for US and UK financial services customers, which include banking, short-term insurance, and life and pensions providers.
A leading IT services provider, CSC adds value through its collaborative approach to delivering fast, reliable and flexible solutions. CSC opened its doors in South Africa in November 1999 and today has offices in Johannesburg and Cape Town. For more information, contact (021) 529 6500 or (011) 612 5400.
CSC
Founded in 1959, Computer Sciences Corporation is a leading global IT services company. CSC`s mission is to provide customers in industry and government with solutions crafted to meet their specific challenges and enable them to profit from the advanced use of technology.
With approximately 78 000 employees, CSC provides innovative solutions for customers around the world by applying leading technologies and CSC`s own advanced capabilities. These include systems design and integration, IT and business process outsourcing, applications software development, Web and application hosting, and management consulting. Headquartered in El Segundo, California, CSC reported revenue of $14.5 billion for the 12 months ended 30 September 2005.
For more information, visit the company`s Web site at www.csc.com.
Editorial contacts