Mythbusting on-line security

Mythbusting on-line security

As I write this (2/2011), we are expecting updated guidance from the FFIEC any day on on-line authentication and security.  It is way overdue, as the last release was way back in 2005.  It is supposed to address the changes in the security landscape since then, and hopefully it will even raise the bar a bit, but I’m afraid that it won’t do enough to dispel the 5 biggest myths regarding on-line security:

  • “My software vendor provides all the security I need.”
  • “My multi-factor hardware tokens provide all the security I need.”
  • “If I follow FFIEC guidelines, my measures will be considered ‘commercially reasonable'”.
  • “Multi-factor authentication is adequate”.
  • “The customer assumes partial responsibility for security (at least contractually)”.
  • “Unless Reg E is extended to commercial accounts, my financial liability is limited”.

I’m going to address why all these are false in future posts, but for now make sure your risk assessment doesn’t rely on any of them.

Print Friendly, PDF & Email
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Write a Comment