Research among US Bankers<\/a> clearly illustrates this. Nearly 80% of all bank executives planned to invest in more security. As such, it was the top technology investment category, far ahead of topics like online banking and mobile banking. If I elaborate on these security investments, it seems to me as if the \u00a0key focus of many IT security strategies and plans is on the external channels. So, banks focus on securing their online transactions, both between their customers and their own systems, as well as the transactions between banks and their peers. Many innovations and new techniques are used to increase the security levels. This is very understandable since most of the attacks come from the outside and from external, anonymous sources. We therefore see many innovations in this domain. For example, in the area of authorization, where bio-metrics like fingerprint and voice recognition may become commonplace in transaction authorization.<\/p>\nAt the same time the new online banking model doesn\u2019t mean that the internal security will become less important. If a bank changes from a model with large number of branches and staff numbers for the daily operations, towards a smaller number of branches and fewer, but highly skilled staff, this creates a risk. In the new situation fewer people are involved in daily banking operations and in general this means that they have more responsibilities, and more authority to access systems and information. In a world where the external channel security is brought up to Fort Knox level, getting access to and manipulating key staff employees may become the easiest way to have access to the bank and its systems. Getting access to the desktop of staff members and social engineering techniques may become the most effective ways to get access to the bank.<\/p>\n
Banks forget enterprise telephony as part of IT security<\/h2>\n
And there we see something interesting. Everybody sees IT as something that has to be secured and everybody understands that also the internal IT environment, the employee\u2019s work-space, computers, laptops and tablet or smartphone have to be secured. But one way or the other, we tend to forget the desk phone. Many of today\u2019s desktop phones are not secured and if they are, the security is often not used. Today\u2019s enterprise telephony provides business users with desktop phones with enormous capabilities. The complete user profile is linked to a specific phone extension, providing the private business contacts, the call history and other data. But most of all, it provides a trusted contact to other employees in your bank. If you receive a phone call from an internal colleague, calling from the financial department and knowing your name, you may be less cautious if you provide him with the information he is looking for, even if he asks a bit more than you would expect. Trust works to colleagues and it works to customers.<\/p>\n
Let\u2019s give an example of the potential damage. In October 2015, the Evening Standard published the article \u2018Nine arrested over ‘\u00a360 million fraud’ targeting bank customers\u2019. It describes a fraud where criminals targeted business banking customers by purporting to be from their bank in order to dupe them into revealing personal information to allow them to gain access to their accounts. These criminals used technology to disguise the number they called from to make it appear as though they were a legitimate bank. This example clearly illustrates the potential value it has to have access to phone lines with some \u2018authority\u2019. For making calls to external relations this could also be done via black-hat type technology, but for internal calls to other departments the use of an existing desktop phone may be the preferred or only way. Specifically, since in the war against these phone fraud attempts, specialized security companies not only check the calling number, but also other call characteristics like noise and frequencies to check the real origin of a calling party.<\/p>\n
How is your desktop security organized?<\/h2>\n
It\u2019s an example and it wasn\u2019t your bank, we hope.. But looking at your office, how is your VoIP desk phone secured? What if at your department a key account manager leaves the office with an \u2018open\u2019 desktop phone? How easy is it for a colleague, a visitor or an employee of the cleaning service to access that phone and download the account manager\u2019s entire customer list. Or worse, to contact a client and provide him with some \u2018special advice\u2019. Or to call on a regular basis some escort service and make your account manager vulnerable for blackmail. The number of fraud and abuse scenarios with free accessible desktop phones is large, and we will elaborate on some of these VoIP security threats in upcoming blogs.<\/p>\n
Often the reaction to the question above is as expected. The responsible IT department states that the desktop telephone is secured via a username and password and that it is impossible to access a phone without these account data. This is true, but it is in no way a solution. Where logging in to a laptop or computer has become common practice, logging in to a telephone definitely isn\u2019t. Entering a username and password on a telephone with a rudimentary keypad isn\u2019t practical and the reality is that staff often deliberately \u2018forgets\u2019 to log out. Not just to have a hassle-free start the next morning, but also since most of the people don\u2019t see any risk in leaving their desktop phone \u2018open\u2019. They simply don\u2019t see their desk phone as a security risk. Three roads to your data are closed. The fourth one is open\u2026<\/em><\/p>\nSingle Sign On for enterprise telephony<\/h2>\n
Ideally, logging in to a desktop phone should be as common as logging in to a PC or laptop. And even better would it be if logging in to the phone and the computer would be a single activity. And that\u2019s where RSconnect comes in. Our Active Login Manager is a Single Sign-On (SSO) solution which automatically logs in to a Cisco enterprise telephone when the user logs in to his office environment. And automatically logs off when the user leaves his desk or workplace and even the office. With the Active Login Manager you are 100% sure that whenever your employee is not at his or her desk, the desk phone cannot be used either. Active Login Manager provides the level of security for your office environment and extends it to your desktop telephony. As such, the Login Manager is a must-have for companies using Cisco IP Telephony, Cisco Unified Communications (CUCM) and Cisco Call Manager technology (CCM).<\/p>\n
The software is easy to use and improves the internal security policies within your company, optionally on top of your current Active Directory integration. So, the question I would like to ask you, as a banking executive: Is the level of attention your bank pays to your external channels and access to computer systems, in balance with the level of attention you pay to the security of your desktop phones? If yes, I congratulate you. If not, it is perhaps good to have a chat and discuss our Active Login Manager. It will block the fourth road to sensitive company data and potential cybercrime.<\/p>\n