Twelve years ago, when my business partners and I were busy creating what became the world's first Internet bank, we paused from our technology pursuits mid-stream to think about how we were going to market this entity that we were creating. We spent some of our venture capital with some high-powered national branding firms, but it was during one late day brainstorming session that we came up with the name of our new bank on our own.

When we asked ourselves what was going to be the most important feature of our bank and what message we wanted our potential customers to hear from us, it was, first and foremost, security. Thus was born the name of Security First Network Bank!

Now, a dozen years later, nothing has changed in our industry with regards to the importance of security and safety. As more and more transactions are processed digitally in our ever evolving electronic commerce economy, staying on top of security best practices is paramount.

Regular readers of TPAtlanta know how strongly we feel about this issue. We spent a good bit of this space during 2006 talking about security, fraud, data breaches, and even money laundering. This month we will revisit the related topics of safety and fraud in case you need a reminder to keep security first in your business practices.

What we are going to focus on this month sounds like some sort of cynical joke conjured up by a pack of IT hacks out for mischief. Or perhaps it is just a piece of a high-tech urban myth, one of the many such hoaxes circulating in cyberspace.

But a growing number of business victims are unwittingly falling foul of an insidious online practice known as laptop keystroke logging. Or keylogging for short.

It is now the fastest growing white collar criminal act in many countries. Forrester Research shows keylogging rose by 65% in 2005, and is expected to be significantly above that this year.

A malicious keylogger can cost a firm anything from $5,000 to $100,000 for a security breach. For a bank, the figure can escalate to $500,000 or more, according to a recent banking industry report.

Keylogging is a particularly pernicious spyware activity, where the theft of sensitive, financial corporate information occurs without triggering alerts, even avoiding detection altogether, until serious collateral damage is done.

Security organizations are fighting a constant battle to save firms from losing precious confidential data, ID information, or even cash.

Richard Hall, chief technology officer with Avanade, an IT infrastructure solutions joint venture between Microsoft and Accenture, says such criminal acts remain high on the corporate agenda.

Hall, who works with a number of blue chip companies, says: "Cost apart, the reputation damage such acts can cause remains very hard to quantify. Laptops are especially at risk because of the mixed business and personal environment they are often used in. But when it comes to security no software tool is a substitute for caution."

And here in Atlanta, we recently learned of several laptop thefts, some from offices located in City Hall East. For some reason, government PCs containing critical consumer information seem particularly easy prey lately for thieves!

However, companies and individuals alike can protect themselves from becoming keylogging victims. It just takes a bit of careful forward planning.

Without this, the following is occurring on a regular basis - picture the scene:

A busy company executive settles down in a hotel foyer, anywhere in the world, equipped with the latest IT gadgetry including a laptop or notebook PC.

As he or she impatiently awaits a taxi to the airport, there's time to check e-mail and maybe to also find out if that overdue vendor payment has been paid into a business account.

Laptop connection to a local hotspot is made wirelessly and logging-on is completed in seconds. Hang on; the firewall detects a Trojan virus trying to infiltrate the system.

Nothing unusual here, and it's dealt with. Or so it seems. But out of sight a keylogger has piggybacked onto the Trojan, with somebody, somewhere picking up each tap, tap, tap. The damage is done and money and/or data falls into unscrupulous hands.

Later, it is discovered the internet service provider was located in the Far East. If it was funds transferred out of a business account, well they can often be replaced. But if commercial espionage is at work and data stolen, eventually sold to a competitor or highest bidder, then that can be irreplaceable.

If things weren't bad enough, there's now a system that not only records keystrokes made on the infected computer, but also captures mouse clicks.

Latest Forrester Research analysis points out that keylogging is less likely to be detected than other types of hacking into a system. Such is the potential damage caused, that Morgan Stanley recently issued a "fix it or lose it" ultimatum to business. The investment bank claimed that for the internet to be "a truly reliable and trusted commerce mechanism," protecting a transaction's source is imperative.

A survey carried out by the Ponemon Institute, a US-based privacy and information security think tank, found that almost half of a typical firm's customers considered ending their dealings with an organization after a security breach.

Keylogging also has implications for banking in general, as well as online shopping - indeed anywhere where financial or personal data is stored.

A study by Trend Micro reveals that one third of those surveyed admitted to not securing their laptops against theft, identity and data fraud, despite regularly conducting transactions by the net.

Security experts say a PC or laptop should have firewalls, virus checks, pop-up blockers and parental controls. "You can also protect your system by using secure electronic vaults, to store encrypted files and passwords."

Another way of protecting a company's data is by outsourcing management of a firm's security infrastructure to specialized security service providers.

Just as TPAtlanta advocated last year, eBay's chief security officer Howard Schmidt recently encouraged firms to publicize security breaches to tackle the "stigma and a culture of secrecy" surrounding such attacks. He added: "It is embarrassing for financial services firms to report data breaches. But they must do so, to give authorities the tools to deal with the problem." We at TPAtlanta second these remarks.

I am reminded of the ABC's of Safety that I was taught in junior high wood shop class: Always Be Careful! How applicable these same words are for the Transaction Processing Industry some 40 years later!!

So what are the latest data and PC security practices within your organization? Please write us here at TPAtlanta and share your ideas and safety strategies with us.

Thank you, and remember to practice safe computing!

Calvin D. Johnson, Publisher
publisher@tpatlanta.com
Trans Atlantic Systems, Inc.