On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for the banking industry to better address today's growing online security pandemic. The message is clear: cyber security must be prioritized. Unfortunately, redundant government policies are costing bay area businesses millions of dollars in compliance and fines, with no guarantee of enhanced protection. As noted by the Bay Area Cyber Security Council, "state standards vary, are inconsistent, and require significant resources to monitor and that businesses need a voice at the table during policy discussions."

Today's web-based attacks are incredibly sophisticated, and some of the recent methods that online criminals have used to penetrate various types of websites include: sensitive information scraping, probing of customer lists on intranets, submission of fraudulent tax returns, architecture probing and more. With the federal government finally behind consumers, "now is the time for the business community to help educate legislators and establish policies that protect the competitive vitality of American companies and the interests of consumers." Organizations must be better equipped to respond to these types of threats in real-time, and identifying normal vs. abnormal online traffic has become a critical approach to stifling zero day web-borne attacks.

The new FFIEC guidance has specifically noted that transaction monitoring and anomaly detection is necessary and actually "could have assisted in preventing many fraudulent money transfers as they were clearly out of the ordinary when compared with the customer's established patterns of behavior." United States businesses and financial institutions in 2010 saw a surge in data loss as a result of breaches (Verizon Data Breach Investigation Report 2011), and the trend of high-profile breaches has continued to increase in 2011. The hope is that these new guidelines will be a step in the right direction for further protecting organizations against the growing threat of online crime.

However, as U.S.-based financial institutions further safeguard their infrastructure, cybercriminals are likely to look elsewhere for unprotected systems and applications. E-Commerce is a greenfield, and mobile platforms also raise concerns among security experts. Gartner analyst Avivah Litan also noted recently that the recent rise in malware and man-in-the-browser, man-in-the-middle and man-in-the-mobile attacks are particularly alarming. If mandates are not created to put additional resources behind securing web-based platforms, we will continue to see a rise in cyber attacks across all industries in the U.S. and across new platforms and applications. The release of new FFIEC guidelines for the financial industry is a great start, though e-commerce needs to take a similar approach and specific standards and policies should be established surrounding mobile computing.

We know there are challenges ahead, and it's important for information security and fraud prevention specialists to be prepared. While guidelines do not ensure security, they do establish a baseline for organizations to work from when constructing a solid security strategy.

By Laura Mather, Founder and VP of product marketing, Silver Tail Systems