Securing a Nation

Disaster-recovery and security solutions are emerging as two of the top priorities for financial-services organizations in 2002, as IT spending in banking now represents $56.3 billion in sales, according to IDC, a Framingham, Mass.-based market-research firm. Government reports indicate demand isn't about to slow down anytime soon: 90 percent of corporations and government agencies report they have detected computer-security breaches within the past 12 months, and another 80 percent acknowledge financial losses due to the breaches.

The most serious financial losses occurred through theft of proprietary information and financial fraud. That is well after U.S. lawmakers took action to thwart such system attacks, passing the USA Patriot Act little more than a month after 9/11. Among other mandates, the act strengthened anti-money laundering laws to institutions that previously were under less scrutiny, such as insurance companies and brokers.

The resulting demand for tighter financial security has VARs such as New York-based DataVox Technologies enjoying sales increases of an astonishing 300 percent in security services, compared with the same period last year. DataVox is now seeing a great demand for products that provide intrusion-detection, wireless LAN security, firewalls and more. Its NetSensor service integrates products that remotely monitor data centers for digital and physical intrusions alike.

"If anything, the awareness of the need for such systems has greatly increased since 9/11, and the operational,or human, processes that use security and detection systems have been significantly revamped," says Norbert Sluzewski, president of DataVox. The company installs enterprise network communications/management products from Cisco, Citrix, Compaq, IBM and others for mainly Wall Street-focused customers. "Security systems can be focused to 'sniff' a much narrower range of security vulnerabilities. Organizations with exposure to post-9/11 terrorist electronic activities, such as banks, securities firms and other financial institutions, have a much more honed-in and focused approach toward securing their electronic environments against such activities."

However, there continues to be a false belief that technology systems are in and of themselves the end-all in the security process, he adds. "For example, a $100,000 investment by a company in the most elaborate data-security and intrusion-detection system produces little security value when a single, internal, networked PC is enabled by an individual with an auto-answer modem, advertising itself as an easy back-door for all hackers to use," Sluzewski says.

Sharpened Focus

East Hartford, Conn., vendor Activis is working with local VAR Integralis to sell its managed-security services, which provide damage-assessment and vulnerability warnings for financial systems. Indeed, with three Pentagon "war-room" styled data centers deployed as part of the service, Integralis is finding that financial-industry customers are increasingly focused on the dangers of both external and internal forces disrupting their systems.

"With a managed intrusion-detection system (IDS) solution, companies are now able to benefit from 24/7 monitoring and management that is specifically designed to identify and terminate unwanted access to your network," says Rick Romkey, president of U.S. operations for Activis. "In return, our customers can concentrate on their core businesses at hand, while reducing security overhead costs."

Romkey says Integralis is a key player for the vendor because of the relationship it has established with the customer. "This is very important when we are dealing with any type of financial institution or government agency, as the trust is established mostly with the VAR rather than the security vendor," he says. "The most promising opportunity for the VAR in this situation is for the whole deployment to go off without a hitch. This cultivates trust between the VAR and customer and will most likely lead to future business."

It also helps that the economic downturn seems to be improving, so companies can invest more in secured IT, says Dan Collins, president of U.S. operations for Integralis. "As a reseller, there always was a 'need vs. cost' battle when dealing with IT security products and services to our customers," he says. "The mindset before 9/11 was mostly, 'Do we really need it now?' And, if so, 'Is it in the budget?'" After 9/11, the security mindset took a 180-degree turn and...things started to be security-focused, and the money seemed to appear in the budgets."

Legal Matters

With the recent federal legislation, as well as other prior legislation aimed at securing their systems, financial institutions find themselves facing mandates for privacy and security/confidentiality compliance, especially when it comes to consumers' personal information. In many cases, government agencies lead the way for such commercial-application investment.

"Threats that were theoretical now seem real," says Stuart Staniford, president and founder of Silicon Defense, a Davis, Calif.-based security-systems vendor. "My expertise is in network security, and we are seeing a big increase in concern by the federal government at all levels."

But it isn't just congressional action spurring that; individual agencies and departments are starting to sit up and pay attention as well, Staniford says. "In terms of novel applications, for example, we're looking at how you defeat cyberwar attacks on the backbone of the Internet. We wouldn't have put many resources into that before, because it wouldn't have been credible that anyone would go for such defenses. Now, it's at least thinkable," he says. "One of the reasons our company is so active in government research is because the federal government, especially the Department of Defense, anticipates [cyberterrorism on a scale that commercial ventures haven't been subjected to yet, and that provides us with valuable insight and experience."

While sentiments for such security-measure improvements in financial systems was always high, the events of 9/11 and the resulting rally in homeland security accelerated reform to unprecedented levels, says Wayne Work, information security manager of managed-security services provider Cybergnostic.net, a Trumbull, Conn.-based VAR that sells Silicon Defense products and solutions. "Since 9/11, there has been an increase of hacks and network intrusions," he says. "Companies like Silicon Defense that provide IDS cut costs, and allow us to provide intrusion mitigation at an affordable rate.

Targeting Individuals

Companies are also moving ahead in the suspicious persons/ group-alert front. ResQNet.com, a New York-based software vendor, recently came out with AlertU 2.0, a Java servlet designed with homeland security in mind for financial institutions and executives. ResQNet designed AlertU to work either as a standalone batch process or to be directly integrated into its core products that Web-enable and rejuvenate legacy applications. It warns users against potential trading partners included on the U.S. Treasury Department's Office of Foreign Assets Control and U.S. Department of Commerce's Bureau of Export Administration lists of targeted terrorist-sponsored organizations, foreign governments, international narcotics traffickers and denied persons.

The idea is to protect companies from illegal business relationships that could damage businesses' reputations and increase the potential for legal liability. ResQNet.com is working with CSI, a New York-based VAR, to provide its solutions to financial-industry customers. "CSI fostered the original concept years ago, long before Sept. 11," says Jim Shapiro, executive vice president of ResQNet.com. "After all of the legislation came up in October, we felt this would be a huge focus of government and industry that would command a lot of attention."

Much of the growth interest in the applications is based on protecting financial-systems portals, as customers seek to access information and conduct transactions via browser-based, Internet/intranet platforms that can be accessed anywhere.

"A lot of financial institutions that were looking to broaden access to the financial data are now taking a step back," Shapiro says. "Perception is reality, and people are paranoid now. The old school of thought was, 'We have lots of money and lots of time, and we'll completely rewrite applications for the Internet.' Post 9/11, everything slowed. People didn't have the money or the time to deploy, so they use our solution as an interim solution, which means added revenue for our VARs."

These days, it's often not enough to install a system safeguard that protects a financial institution against a terrorist hacker. Banks, investment lenders and government fiscal regulators are pushing for more intuitive safeguards that, in theory, think ahead of a terrorist to anticipate movement. Waltham, Mass.-based Okena's StormWatch and StormFront products are more proactive, allowing for custom creation of automated security, as opposed to only protecting against well-known attack methods.

The revenue stream for VARs such as Medfield, Mass.-based FireTower are numerous, as the vendor's products allow for custom creation of automated security applications matched specifically according to new applications and legacy systems.

"Most banks and financial institutions have had some form of protection for the past several years," says Robin Lamperti, vice president of operations for FireTower. "But they're more interested now in finding out how well-protected they really are, and what things they need to do to either stay protected or improve their security. I'm hearing more from clients that they want a proactive IDS, not just an alarm system."

As financial customers assess their current security infrastructures, there's also an interest in redundancy, both local and regional, Lamperti adds. "This is the one area that I have heard people refer to 9/11 as being the impetus," Lamperti says. "It's not so much a concern of being targeted, but perhaps being a victim if an act of terrorism were to impact their location, or locations, or if major power grids were to be compromised." n

Dennis McCafferty is a Washington, D.C.-based writer. He can be reached at [email protected].