Ben Katz doesnâ€™t always sleep well. Vice-president of a Hauppauge, N.Y. brokerage firm, Zeus Securities, Katz is charged with keeping the firmâ€™s technology systems safe from hackers and thieves. â€œEveryone (in the financial industry) has to worry about being a targetâ€ of data theft, says Katz. He says the concerns keep him up at night. â€œIf someone wants to make you a target, they will, and they will sabotage you.â€
Katz is not alone in worrying about a rash of viruses and attacks from hackers aimed at taking possession of customersâ€™ personal identities or proprietary company information, or even funds that could be wired to some hidden account.
â€œTo the extent small [brokers or other financial-type companies] are hooked up to the Internet, theyâ€™re unprotected,â€ says Robert Richardson, editorial director of the Computer Security Institute, a San Francisco-based organization that trains computer security professionals.
Viruses that make their way into computer hard drives hide on Internet sites, and Richardson says they are now the biggest problem most companies face.
And because of it, businesses are losing big money.
Richardson is co-author of an annual computer-security study that Computer Security Institute publishes in conjunction with the FBI. The latest survey found that corporate and institutional computer break-ins increased slightly last year over 2003, but that average financial losses from those break-ins had fallen, with the exception of two major categories â€” unauthorized access to data and theft of proprietary information.
In 2004, the survey revealed that the average loss from unauthorized data access rose to $303,234, from $51,545 in 2003. The average losses from information theft climbed to $355,552, from $168,529, in 2003. Respondents sustained total losses in the two categories of about $62 million last year.
The picture is not pretty, experts say, and is getting worse as companies large and small merge with other businesses in the United States and overseas.
â€œThe larger [brokerages] have elaborate security and professionals on staff dedicated to computer security,â€ says Warren Kruse, director of information technology consulting at Kroll Associates, an investigative firm in New York.
â€œBut we still find vulnerabilities in the larger systems because they donâ€™t always know what theyâ€™re connected to,â€ Kruse said. â€œTheyâ€™ll make an acquisition, and now theyâ€™re taking on all the security risks of that acquisition.â€
Businesses do try to keep their data safe. Firewalls, spyware and anti-virus software are among the weapons they use, but in the cat-and-mouse game between companies and hackers, hackers often seem to have the upper hand, experts say.
Alan Davidson, founder and president of Zeus Securities, the Hauppauge brokerage firm, figures his computer systems are protected.
Yet something gnaws at him much of the time.
â€œWe all get viruses,â€ Davidson says. â€œThis miserable breed (hackers) gets some kind of vicarious thrill out of destroying somebodyâ€™s files. Itâ€™s outrageous.â€
Davidson and others point to the need for stronger legislation. Some laws have been approved, but most of them seek to protect consumers, not businesses.
In 1999, Congress passed the Gramm-Leach-Bliley Act, which calls for individuals to be informed about the privacy policies and practices of financial institutions, so that consumers can use that information to make choices about financial institutions they wish to do business with.
In 2003, California passed the Security Breach Information Act (SB-1386), which dictates that organizations must notify individuals if the security of the organizationâ€™s information has been breached.
Companies have little choice but to keep their eyes on their computer screens â€” and keep up-to-date with the latest anti-virus software packages to hold the bad guys at bay.
â€œEverybody is in the same boat,â€ says Robert Houghton, founder and president of Redemtech Inc., technology recovery specialists in Reno, NV. â€œBut the stakes are a lot higher for financial firmsâ€ because lots of money is at risk.
One of the key problems, Houghton says, is that many companies do not have a centralized policy requiring strong data security procedures. Instead, he says, such policies are left to individual units of a large company. â€œVery typically, you might have five or 10 or 5,000 offices [within a corporation]... But if data security matters are allowed to be handled at the local level then you can almost be guaranteed that you will have inconsistencies that lead to failure in the process.â€
His solution: â€œAs a starting point, I think [businesses] need to establish a centralized policy that they enforce because the downside risk is quite onerous.â€
Two of the nationâ€™s largest banks â€” Wachovia Corp. and Bank of America â€” were red-faced this past spring when they had to notify thousands of their customers that their financial records may have been stolen. Police believe company employees were responsible. The investigation is continuing.
Neither Wachovia nor Bank of America would discuss any of their security procedures, as is standard for companies. But experts said that the protections banks use to thwart hackers â€” firewalls and encryption â€” have little ability to stop ill-intentioned employees who are authorized to access secure information.
But some experts think banks could do more.
â€œThere are a lot of ways banks could make their systems more secure to their customers,â€ says Edward Maguire, a research analyst at Merrill Lynch in New York. â€œBut the dirty little secret is that the costs of fraud are not compelling enough to force the banks to spend an additional amount per customer.â€
Maguire estimates brokerages spend only five percent to six percent of their information technology budgets on security. They should be spending in the low teens, he says.
â€œIt takes these high-profile incidents [such as at Wachovia and Bank of America] to force companies to take any action at all,â€ Maguire maintains.
Break-ins of various types are more likely to increase in the future as computers become more and more like everyday utilities, such as telephones, and even the smallest of companies canâ€™t function without them.
That brokers and other business people are concerned is a good sign, says Kruse, of Kroll Associates.
â€œThe attacks are getting more sophisticated,â€ Kruse says. â€œThe attacks can happen from anywhere in the world to anywhere in the world. Many times, when we find a problem, we find that the organization wasnâ€™t worried about one. You donâ€™t have to be paranoid, but itâ€™s good if thereâ€™s a little worry.â€