Financial services firms share security tactics

Visa, JPMorgan Chase, and Experian among companies adopting more stringent corporate defense mechanisms

Some of the top players in the financial services arena-- such as Visa, JPMorgan Chase and Experian International -- are expanding their tactics for preventing customer data loss.

IT security managers convening at two interrelated conferences in New York this week said their firms are adopting both new network defenses and organizational structures to lower risk of a data breach. Some say the very survival of their businesses may be at stake, since news reports about incidents are leading to customer loss and million-dollar lawsuits. California was the first state to require public disclosure of a data breach, and now there are now about 30 other states and localities that do as well.

“When an event becomes public, the stock price tilts, there’s brand damage and finally decreased revenues,” said James Christiansen, chief information security officer at Experian International, speaking at the Summit on Preventing Data Leakage.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Some of the top players in the financial services arena-- such as Visa, JPMorgan Chase and Experian International -- are expanding their tactics for preventing customer data loss.

IT security managers convening at two interrelated conferences in New York this week said their firms are adopting both new network defenses and organizational structures to lower risk of a data breach. Some say the very survival of their businesses may be at stake, since news reports about incidents are leading to customer loss and million-dollar lawsuits. California was the first state to require public disclosure of a data breach, and now there are now about 30 other states and localities that do as well.

“When an event becomes public, the stock price tilts, there’s brand damage and finally decreased revenues,” said James Christiansen, chief information security officer at Experian International, speaking at the Summit on Preventing Data Leakage.

Experian, a global company with over $3.1 billion in annual sales from consumer credit reports and other business data and analytics, was able to cite its rival, ChoicePoint, as the industry’s bad boy poster child at present. ChoicePoint last year acknowledged a loss of 145,000 customer records and is still fighting lawsuits about it. In the hope of avoiding a similar fate, Christiansen acknowledged Experian has racketed up its defenses in several ways.

For one thing, “We just won’t accept data that isn’t encrypted anymore,” said Christiansen. In addition to encouraging employees to report any suspicious events, about eight months ago Experian also started using a data-leak prevention appliance to monitor employee e-mail, file transfer and instant messaging.

"The first time you use it, it’s like turning on a light in a kitchen at night and catching the cockroaches running,” said Christiansen. Experian doesn’t block suspicious network behavior but does investigate data transfers that may violate corporate policy, such as failure to use encryption. Most of the time these incidents are mistakes by employees that require training re-enforcement.

According to Christiansen, cybercrime that targets sensitive customer financial data is lucrative and well-organized, something that hit home by working with the U.S. Secret Service on what’s called the Project Harvest research online with others in the industry.

He said he sees that thieves around the world are selling software financial-theft Trojan programs for $1,000 to $5,000, a credit card with PIN for $500, and change of billing data for $80 to $300, and $7 to $25 depending on volume for stolen credit card numbers with security codes. “It costs $7 for a PayPal account logon and password,” he added.