Protecting What’s Valuable

Tom, our head risk management advisor, walks around with a $100 bill in his pocket.   At training sessions, he’ll set that $100 bill in front of someone and put a stack of his personal bank records next to it.  Then he asks, “Which one should I be more afraid to turn my back on?”

Anyone who works in finance is quick to catch his point.  They know that his personal information is worth far more than $100.  It’s worth more to a crook, and it’s worth more to Tom who’d have to spend at least 10 times that clearing up a case of identity theft.

But what we understand in a training session doesn’t always translate into daily action.  We get hired for enterprise risk management to walk through financial institutions doing risk assessments and social engineering tests.  We know we’re never going to see even a $20 bill lying out.  That’d be heresy in a bank.   But walk by an open cube, and we might find 20 home loan applications ripe for the plucking.

Here are a few daily reminders we’re good at protecting cash: 18-inch-thick steel reinforced concrete vaults, timed vault doors, elaborate alarm systems, cash counted and verified daily, teller drawers locked and stored in the vault overnight, robbery training.

Now ask, how are we reminded about information security?  Remember those loan files sitting out all day and night?

If your bank or credit union is held up at gunpoint and cash is stolen, you only have to tell your regulator and the FBI.  Sure, it’ll make the news, but anyone who hears about it feels bad for the staff and the bank.  The public assumes you did nothing wrong and that you were a victim. (The banks have locks, vaults and alarms after all…) 

However, if your information network is breached, you not only have to tell regulators and authorities, you may have to notify customers.  You’ll get a ton of press and your customers and the public won’t see you as a victim but rather as a business that didn’t do its job.  (Don’t they have a firewall and passwords?)

Now think about the impact on your customers.  When cash is stolen, your customers are fine.  They aren’t out anything.  But when their identity is stolen, they have to work hard to get it back and they never really know if they’re made whole.  (Am I finally through calling everyone and switching things?  Did I get everything? I’m so mad at that bank! )

Like cash security, information security is everyone’s responsibility.  And it’s a cultural shift that needs a champion in your organization.

The truth is, it’s harder to manage information than it is to manage money.  There’s no way to be 100 percent protected when it comes to enterprise risk management, but if you organize yourself, train, and use some better tools, you can limit your risks.  Make yourself better armed than you competitors and you won’t be the “low-hanging fruit.”


Pete Griffith is CEO of Supernal, makers of the Scout™ risk management dashboard.  Find him online at www.supernal.com and on Twitter @SeeScoutRun



©2012 Supernal Software, LLC. All rights reserved.

Home       Scout       About       Compliance Services       Blog       News       Demo Sign-up       Scout Login       Contact