|
How to Hook a Phish
Wells admits that ramping up his spending on technology was tough to stomach at first. Before Web banking, the bank used only a handful of computers for wire transfers, word processing and limited networking. James had to fight for every IT security-related dollar he got. The battle reminded him of the Y2K spending of yesteryear. "The execs complained, 'You spent all that dad-gum money and nothin' happened,'" he recalls. "I told them, 'Maybe nothing happened because you spent all that money.'"
It also helps that James is part of an association of noncompeting midsized banks. The group gets together a couple of times a year and shares best security practices. That insider exchange ensures that Happy State Bank isn't on the bleeding edge of certain technologies and practices. But it wasn't until recently that business leaders like Wells really saw the value of the IT department's security prowess.
This summer, James received a call from a stranger in San Antonio who pointed him to a Web site that looked like Happy State Bank's own. "The guy told me that he was tired of all this and that he hopes we nail them," James says. Hall telephoned the service provider and got the fake site shut down within four hours. The next call went out to federal authorities. Then the bank's customer service department got into the act and called every one of the bank's 4,500 Web banking customers, warning them about the threat even though the fake Web site hadn't been "phished" to them yet.
The real reward came when James showed the fake site to Wells and other executives. "It was unbelievable how authentic it looked," Wells marvels. "I darn-near logged in myself. It was scary."
James has had a harder time explaining Web banking security to Happy State Bank's board of directors, many of whom are farmers. The board wanted a promise from James that there would never be a security breach. That's unrealistic, of course. In addition to fighting off a wild world full of Internet bandits (not to mention internal thieves), James and his crew might someday encounter a zero-day exploit whereby a tech vendor's patch lags behind a new attack. "There's nothing you can do about it," James says.
Such is life on the Web banking frontier.
"I told the board that a security exploit is like a dog that digs a hole in the backyard and that it's dang-near impossible to prevent him," says the IT chief. "That dog is going to dig somewhere -- but we'll do all we can."
Tom Kaneshige was a senior features editor at CIO Decisions. To comment on this story, email editor@ciodecisions.com.
|
