Companies can benefit from educating the public realistically before a breach occurs. "It's about communicating trust, being open to make sure the customer knows you are doing everything you can do to protect their information, but that the criminals are also doing everything they can do to penetrate the data," says Lubetkin. "Banks don't want to oversell the institution's ability by saying 'breaches will never happen again,' because the day they say that is the day it will happen again."
And it likely will, agrees Forrester Research's Penn. "The evolution of criminal tactics is presently outpacing banks' capabilities to defend against them," he says. "However, this is partly because banks are looking to fight particular threats such as phishing or spyware." That shifts the security focus to areas like authentication, when the focus should be on the purpose or result of the attacks, which is account compromise, fraud, and identity theft, Penn says. Instead of deploying a security technology to deal with yesterday's attack method, what companies need to do is invest in better vetting of new customers and better fraud detection, supplemented with tools like user profiling and risk-based strong authentication.
"Banks need to take security out of the closet and market these safeguards to consumers."
Financial services firms should also use existing forms of communication -- like e-mail alerts on low balances or bill payments -- to provide information to customers on potentially fraudulent activity and get them involved in fighting fraud, adds Penn. Wells Fargo instituted such a system in August.
"Banks need to take security out of the closet and market these safeguards to consumers," advises Penn, taking measures like proactively offering ID theft and fraud monitoring to new and valued customers rather than waiting until data is compromised before offering such services. "Such credit monitoring should be the 21st-century equivalent to the toaster banks used to give out on new accounts."
Cheryl Charles, a senior director at BITS
Lessons For Everyone
While the financial services industry presents an appealing target to data thieves, any business that holds sensitive customer data can use the lessons this sector has learned through years of unwelcome experience. Companies can establish practices for keeping their customers' data secure while at the same time accepting the reality that criminals will forever seek out ways to break into the fortress.
If those criminals succeed, smart businesses will do as the banks do: have an established and practiced reaction plan in place, communicate forthrightly about the situation, take quick action to help their customers protect themselves from fraud, and use the incident to prove themselves a trustworthy and concerned partner to customers.