If you lived your life on the basis of what you read about crime in the daily papers, you wouldn't get out of bed in the morning.
The same is true of much of what we're seeing on Web security at financial institutions. Web insecurity is news, and Web security isn't, despite the fact that online commerce is the fastest growing market on Earth - both consumer and business-to-business - and we're in one of the slowest economies in recent memory.
But you wouldn't think the Web was so great after reading about Web security. One recent report says credit card fraud is now 12 times higher online than in-store, while another report pegs online fraud at four times as frequent as the old-fashioned kind. No matter how you slice it, that's fearsome - until you realize that the Web is driving double-digit sales growth and fraud still accounts for less than 1.2 cents out of every dollar spent online.
Is Web security a challenge? Yes, but it's manageable.
The biggest oversight that banking IT executives make in assessing Web security is focusing on the challenge and not looking at the business opportunity. All technologies have risks that need to be managed against their business impact. The job of the IT professional is identifying and then minimizing this risk in a way that allows us to introduce new technologies that drive business performance.
Another common error is imagining that security was bulletproof before the Web started to take over. Fifteen years ago business was conducted largely by phone and physical transactions, and criminals found ways to tap phones, overhear conversations, and steal physical data. No IT security system in the world is stronger than its weakest link, which is the human being.
As banking transactions move to the Web, we face new security risks, but they are being offset by huge gains in market speed, enhanced customer service, expanded customer base, higher productivity, and lower operating costs. There is no turning back.
The real issue today is maximizing the effectiveness of Web technology as we reduce risk, and this is happening to a higher degree than most people realize. In any Web transaction, a business needs to manage several challenges. It must identify who its users are, what they should be allowed to do, and what policies will drive business decisions. These policies, for example, have to define the rights of different types of users - customers, employees, suppliers, and business partners.
As we build stronger enterprise security, we need to make sure that this added protection integrates easily and flexibly across the business and is easy to deploy and manage. For example, as employees enter and leave the business, IT administrators need to be able to update online access rights without having to recode multiple applications for each employee.
Right now, with employee turnover rates approaching 100% in some industries, it's so costly and complex to manage security across diverse systems and applications that many employees have access rights to corporate systems they shouldn't have, because these rights are outdated. Twenty percent of corporate system accounts belong to people who haven't worked for the company for five years or longer.
Ease of use, flexibility, and economy also need to be built into the way we manage Web commerce risk. Today the customer is asked to provide several layers of information for authentication - an ID, password, credit card number, and possibly other information like a date of birth or ZIP code. If this information checks out with the credit card company and the business, the customer is allowed to complete the transaction.
The next step in improving online security may be biometrics technology, which identifies users by their physical characteristics. We use biometrics to a degree now with digital photos on driver's licenses and credit cards. The Internet will allow us to digitize additional physical characteristics - for example, a fingerprint, palmprint, or retinal scan.
As biometrics technology improves, the test will be its cost-effectiveness, along with how it squares with equally important business imperatives like protecting consumer privacy and trust.
Will the Web ever be secure? Considering where we've been and where we're headed, we have every right to expect the Web to become increasingly secure as security continues to enable rather than strangle business performance.
