PORTLAND, Ore. – Corillian has become the first U.S. online banking firm to receive BS:7799 certification. It is a standard that originated out of Britain that covers a company's security management system. It covers 10 control areas: business continuity planning, system access control, system development and maintenance, physical environmental security, compliance, personnel security, security organization, computer and operations management, asset classification and control and security policy. These 10 areas contain 127 specific controls. Quite a few firms in the UK have it, as well as in Japan, but only 23 U.S. companies do, said Jim Maloney, Corillian's Chief Security Executive. Maloney said the standard was built by some of the best minds in the `90s who realized with the proliferation of the Internet and e-mail, security would become more challenging. BS:7799 is evolving into ISO 17799, however companies can not certify to it yet. Maloney said by getting BS:7799, Corillian will either be grandfathered in for ISO 17799 or just be way ahead of the game. Obviously for a company like Corillian, security is paramount. A breach can cause lack of consumer confidence in online financial services and severely hurt Corillian's business. Despite a growing acceptance of doing business online over the years, recent research indicates consumers are still wary. A Javelin Research study indicated that over the past year consumer concern with ID theft has increased more than 30% in regard to online banking. A June 2005 Gartner report found that 28% of online consumers said online attacks influenced how they bank online, with over 75% of this group saying they bank online less frequently and 14% have stopped paying bills online. Maloney said Corillian began working on BS:7799 certification about three years ago. It was seeking a standard security framework to work towards. He noted Corillian already has SAS70 certification, but that's very narrow in scope, aimed at data centers and is not enterprise wide. Maloney said his goal is for Corillian customers to trust the company completely. He believes a good security program revolves around three things – people, processes and technology. "In some cases the technology is the easiest part. You buy it, implement it, and if you maintain it, it does it's job. You need good processes around it and you have to have trained personnel to implement the processes and understand the technology," said Maloney. Personnel skill was a big part of getting the certification. As part of the audit, random employees were selected across departments and quizzed on security issues. Maloney said despite all the technological advances, employees still are often the first line of defense for security. "I kind of look at people as being your biggest asset or biggest liability regarding security. You have to engage them and create a security culture," said Maloney. Security is always a topic at the company's quarterly meetings; employees receive training as issues come up, and it also does an annual recertification of employees where they are required to pass security tests. Credit unions are always trying to find the sweet spot in terms of how much money to spend on security. The conventional thinking is you have to spend enough, but if your security budget is too big, it's counterproductive to the overall business. Maloney said at Corillian, security spending equals about 4% of revenue. So just how intense are security attacks? Maloney said the bad guys are still aggressively going after online sites, however the bad guys are not the biggest problem. "I think we're doing a good job on the back end,locking down the server side. At this point in time, the weakest link of Internet banking is the end user, how the end user takes care and uses their PCs," said Maloney. He said consumers need to keep their PCs patched and protected by a firewall. He said phishing is still a primary threat, especially for financial institutions. Fraudsters and phishers may be more focused on getting access to bank accounts, not just because of the money there, but because of all the personal financial data banks and credit unions have. That data can be used for identity theft. Corillian has a patent pending on an intelligence authentication system that looks for patterns of behavior that might lead up to fraud. For example, if a member always accesses their accounts online either at work or at home, the system can look at the http header information to develop a sort of profile, a pattern of access. If a request comes in from say another state, the system flags the session and will ask the member a question only the real person would know. The credit union could also call the member's cell phone for further authentication. Maloney said the key is not to make the security so prohibitive that it makes members frustrated. He said the access patterns should work for online users 95% of the time. If a member is traveling and using a computer in a different state, they likely would be flagged. The solution, coming out soon, is purely on the server side, said Maloney, it requires no hardware for the end user. [email protected]