The tragedy of September 11th ushered in a paradigm shift in security. The financial sector's mantra, subsequent to that dark day, was to focus efforts on business continuity and resiliency. Headquarters were backed up to data centers at least 30 miles away and remote access was increased tenfold so as to limit the impact of a terrorist attack. The sector-wide effort to manage the risk posed by physical attacks created an environment wherein once secure operations facilities, which had a single point of access from an IT perspective, now had hundreds of points of virtual ingress. The environment of financial institutions had thus become spider-like. It is this new environment-based upon the valiant initiative of business continuity - wherein technology risk has been exacerbated. The business continuity movement has created a cybersecurity quagmire. The current externalities associated with business continuity are systemic and severe.

In recent years the suspicious activity reports per computer intrusions within financial institutions have grown exponentially. The FDIC Technology Incident Report of 2007 noted three disturbing trends: The number of computer intrusion SAR filings are growing at a fast pace. The estimated mean loss per SAR almost tripled during the prior year.

Unknown unauthorized access was the most frequently identified type of computer intrusion: meaning the FI could not or did not identify how the intrusion occurred-followed by ID theft or account takeover. Spear phishing (when end users with high computer access levels are targeted) was also cited in several sampled computer intrusion SARs.

The 2008 Verizon Business Data Breach report noted that 39 percent of breaches occurred as a result of business partners. These trends illustrate how remote users and third parties- who provide Web hosting, data warehousing and/or business continuity services create increased operational risk.

Most backup facilities and outsourcing arrangements contain serious gaps in security. These gaps have remained persistent due to the lack of regular penetration tests of those networks. In July of 2001, a major hosting company in Atlanta suffered a significant data breach. As a result, 300 banks' networks and users were compromised. This event illustrated the systemic risk associated with outsourcing critical functions and the expanding target for cyber-infiltration.

Critical Gaps

There are three critical gaps created by the new security paradigm. First is Web application and Web service vulnerabilities; many of these operations are over-reliant on their portals and thus have become susceptible to SQL injection, cross-site scripting and other Web service attacks. Second is remote user compromise-telecommuting begets risk. The exponential expansion of remote access has created two phenomena: Hackers are now attacking the wireless transmission layer and spear phishing attacks (client side attacks) have increased exponentially. One must note that VPNs are merely tunnels whose water can be polluted. Devices enter and leave a network many times per day. A rogue device can bring down a network and the remote user population is the weakest link in the security chain. Assessing their susceptibility to spear phishing as well as determining whether those devices are hardened is paramount when managing today's technology risk.