The Agency Insider with Linda McGlasson

Security Enforcement: The Threat of a Pop Quiz Works Every Time

Security Enforcement: The Threat of a Pop Quiz Works Every Time

Remember when you were in school and you hadn't read the chapter like your American history teacher had instructed your class to do on Friday afternoon right before the last bell? It was springtime; who was paying attention to their school work? Who thought there might be a pop quiz on Monday afternoon?

When you joined the rest of the class, which was in the same situation on the next Monday afternoon, (having not read chapter 14, or any of the previous chapters for that matter), you slipped into your seat and flipped open to chapter 14, the dreaded 1880s. You slid down further behind the big football player in front of you, hoping (upon hope) that the teacher didn't call on you to discuss the relevance of the Haymarket Square bombing and the Haymarket Affair. Then the sound of your American History teacher's voice sounds like a death knell across the room: "Class, close your books; we are having a POP QUIZ."

Now, here is a related story for all of you information security professionals out there who think you don't have to "study chapter 14."

The British version of our banking regulatory agencies, the Financial Services Authority (FSA), has for the first time issued a fine for lax security. That's right; a fine was imposed even though there wasn't any evidence that a breach had taken place.

The FSA fined the Merchant Securities Group, a stock broker, 77,000 British pounds for having poor security controls and not protecting client details properly. (That is equivalent to more than $150,000 US.) Imagine the fine that the FSA will impose on the next firm that has a data breach? Ouch, I'm betting it will be at least eight figures. Security experts warn that the FSA has used this firm as a warning, and the next fines may be much higher.

Is this the wakeup call for British financial services companies? Margaret Cole of the FSA states: "We will not wait until information has been lost or stolen before taking action against a firm."

When I hear words like those, I remember those April nights spent poring over my American history text struggling to prepare for that next pop quiz that thankfully never came. For the majority of students, the threat of a pop quiz was the only thing that worked.

The question here for our American financial services companies is: If your regulator came to your institution tomorrow, would you be able to pass the "pop quiz" on security controls and protecting client data?

If our American banking regulators take the same approach as the FSA, there may be many institutions that will have to spend more time preparing for their examinations. (I can't recall any U.S. institution being fined for lax security.)

For some students and companies, only the threat of a pop quiz - or a fine - will spur them into action.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.