An Image Is Worth a Thousand Words — and Millions of Dollars

An estimated 10,000 financial institutions have added remote deposit capture into their quivers of services since Check 21 went into effect in 2004. It is becoming commonplace for community banks to exchange images electronically and as mobile remote deposit gains traction, banks will exponentially increase the volume of images they handle. As databases build up, however, so do the dangers. Hackers have found a honey pot in online image archives; a place that they can break into and obtain enough account numbers and information to make a hefty profit.

The looming threat of hackers gaining enough personal information to drain customers’ accounts is exactly what keeps bank executives up at night. These crimes can do serious damage to an organization’s bottom line, as the industry learned two years ago when hackers claimed access into a credit card processor’s database that processed 100 million payment card transactions per month for “longer than weeks,” and the company lost half of its stock price in days.

The Ponemon Institute published a report in July 2010 analyzing the cyber crime of 45 organizations and found the median annualized cost of cyber crime to be $3.8 million per year, with some costs escalating to $52 million annually. The same company reported earlier this year that the average cost of a breach is $204 per victim, which could add up to a small fortune if an entire image database was accessed. Using that average, a bank scanning deposited checks for 50,000 customers is vulnerable to losing more than $10 million in one year. Community banks also need to take into account the potential loss of trust and customer relationships associated with a major security breach, as well as the impact negative media coverage will have on future business.

Although funds are being transferred via images, community bankers must maintain a “Brink’s security truck” frame of mind when it comes to protecting those funds and the data associated with them. Despite the continually increasing amount of sensitive data stored by banks — from images to loan applications — many do not have bulletproof strategies in place to protect that data. In fact, many community banks are not even using compliant storage for their images.

A compliant storage environment requires a write once, read many, or WORM, data storage system that can be read from and referenced unconditionally, but never modified. The industry once relied heavily on WORM systems, writing all of its data to optical disk or platters to free expensive disk space. During last decade, data storage space became more prevalent and less expensive, leading banks to store more data on their hard drives, never writing it to an optical or WORM device. Banks purchased large amounts of storage for little money with the digital storage pricing revolution, and bankers began to think that backing images up to tape (which is somewhat unreliable and alterable) was a suitable archive.

Today, with the ongoing threat of hackers gaining access to image archives, bankers need to return to WORM-compliant software or devices that have stronger security built in. Partnering with qualified and reliable third-party providers or writing to a WORM–type device is the only way to ensure that data is compliant, unalterable and comes with multiple added layers of protection. A successful system must:

• Record the audit trails of everyone who accessed and tried to access the data (failed attempts are sometimes as important as successful log-ins).
• Manage the information lifecycle management, which enables a bank to maintain compliance with several laws requiring that documents are retained for specific periods of time and no longer.
• Perform regular audits of the environment to ensure that the integrity of the system and its data remain strong and bad files are not further corrupting other data.

These items touch on the performance benefits of a compliance storage device, but the most important differentiator is enhanced security. Banks that store image data on their servers or hard drives, without a compliant storage device, make that data accessible to any hacker that can get past their security networks. Those that have a direct interface between Internet banking and their storage are especially susceptible. A proper storage and archive device adds multiple layers of protection with an added security wall — a virtual vault within the bank — and encrypted data. Banks should seek the most advanced encryption levels, such as AES-256, which is used by the government to protect “top secret” information.

Additionally, images should stay encrypted when at rest or in transition. Far too many employees lose sensitivity to the importance of encrypting images at all times. Simply emailing a check image to a customer or service provider without encryption can lead to a lot more trouble than it is worth.

Compliance is often viewed as a burden to financial institutions, but protecting your image archives is essential to survival. A compliant data storage system is more important than ever before as community banks expand their image offerings and hackers adjust their focus accordingly. Hackers have a tremendous amount of time and resources to plan strategic, sophisticated attacks. Community banks need to take every precaution to protect their growing image archives and re-educate all employees regarding what it truly means to be compliant.

Kris Bishop is the director of enterprise conversion solutions at ProfitStars, Dallas.

Copyright © November 2010 BankNews Media