United States

Emerging Technologies and When to Implement From a Risk Perspective

FINANCIAL INSTITUTIONS INSIGHTS  | 

What are “emerging technologies”?

Emerging technologies are technologies that are new and innovative, or in some cases using relatively recent existing technology in a new or converged manner. For purposes of this article, we will limit the discussion of emerging technologies to the convergence of existing technologies as they tend to have the largest impact on business due to their process disruptions.

Examples of the convergence of technologies include cellphones and personal digital assistants (PDAs), which were previously separate technologies and now are generally packaged as one in the form of a smartphone (iPhone, Android, etc.). Prior to the convergence of these technologies, each singular device (cellphone and PDA) ran separate proprietary operating systems and hardware. For example, as little as seven to eight years ago, it was common to carry a Palm Pilot PDA, as well as a Motorola Star TAC cellphone. Each was separate, did not interface with each other and required a docking station or cable and software to interface with corporate applications.

In our example, we can take it one step further; as convergence has continued as corporate applications and other device-specific applications (GPS for example) continue to be merged/converged into smartphones. We could continue down this path as several smartphones have music player capabilities and other uses. We can even remotely start cars with them via OnStar.

The implementation question
There are various business factors that go into the decision of when to implement emerging technologies. One of the most important considerations is the benefits sought from the implementation; some of the most commonly desired are:

  1. Cost savings
  2. Customer service
  3. Market leadership
  4. Power savings

A technologist will quickly identify that there are many more benefits that can be listed, but when working with clients in the field the above benefits are the most commonly mentioned.

Of course, the actual benefits derived from the implementation of a particular emerging technology depend on the technology being deployed. For example, in recent years many customer service oriented businesses, such as banks and online retailers, have implemented some form of “live chat” so that their Internet savvy customers can converse online with one of their customer support representatives or sales staff. A primary benefit of implementing this technology is customer service, while secondary benefits may exist as well such as accuracy of orders in the case of online retail.

While these benefits are important, another critical factor that often gets overlooked when considering the implementation of an emerging technology is that of risk. When risk is not accounted for, the true cost of implementation is under estimated and can also lead to poor implementation.

Generally speaking, new or emerging technology implementations should always be treated as riskier than the technology they replace. This should be an important factor in deciding when (or if) to implement the technology.

There are many examples of new technology not being managed properly and the subsequent costs exceeding the benefits of the technology, such as when Nike had a 28 percent restatement of earnings in 2001 from a poorly managed enterprise software implementation. What is unusual regarding this example is the size of business in which the technology was being deployed and the complexity of the solution, but it does point to the enormity of the potential risks of implementation.

When we consider contemporary emerging technologies, such as smartphones and smartphone applications, there are several examples of security issues being discovered. A short list of some of the more recent security issues documented includes the following:

  1. Citigroup disclosed that its free mobile banking application accidentally saved account numbers and other sensitive information on devices. (2010)
  2. Google recently began remote wiping Android devices infected with malware after discovering more than 50 malicious applications in the official Android market. (2011)
  3. Apple released iOS 4.3 for the iPhone 3 and other devices to address critical security issues with their product, according to US-Cert and other information sources. (2011)
  4. According to US-Cert, Research In Motion (RIM), the maker of the BlackBerry issued a security alert warning users that during browsing, the BlackBerry is susceptible to a data mining exploit. (2011)

As can be seen from this short list, serious security risks have been discovered in what many would consider to be the smartphone market leaders, and we can conservatively assume that all smartphones are likely to have security issues that are or will be discovered. This does not mean that an organization should NOT implement emerging technology, but that the decision to implement should consider the potential risks associated with the implementation.

Consideration of risk
There are many risk models that attempt to factor the risk of the implementation of emerging technology into the organization; some complicated and others straightforward. To illustrate one approach, we will use mobile banking as an example of a business process (e-banking) utilizing an emerging technology (smartphones). A simple approach or framework includes, at a minimum, the following steps (in an actual implementation, there will likely be more):

The technology:
Identify the technology (smartphones) and the business process (mobile banking), as well as an inventory of the components that enable the solution and features.

Our example will include:

  1. The smartphones supported (the goal could be all of them, but iPhones, for example, have not been able to support Adobe Flash, although a recent announcement addresses this)
  2. The mobile banking solution vendor
  3. One could argue that the core system belongs here or at least the interface
  4. The mobile banking features that the user will have access to

The risks associated with the technology:
Essentially, an attempt is made to identify the risks of using the technology. The list should be as exhaustive as possible and a subject matter expert might need to be consulted.

If we continue with our example, a short list of some of the risks could be:

  1. User loses their smartphone
  2. User browses to unsafe sites, and smartphone becomes infected with Trojan code
  3. Smartphone user information is not updated
  4. User purchases a new phone and has their information moved from the old phone to the new phone, but does not securely erase their old phone before selling or discarding it

Control measure to mitigate the risks
This is where an organization identifies control measures that remove or reduce the risks identified above. In some cases, it may take multiple control measures to mitigate a risk; often there is not one “silver bullet” for each of the risks identified.

Continuing with our example in order of risks listed:

  1. Multifactor authentication, red flagging unusual activity, out-of-band authentication of transfers
  2. Application cookie verification to mitigate cookie replay attempts, red flagging unusual activity
  3. Application performs a system health check and notifies the user of out-of-date smartphone, application cookie verification to mitigate cookie replay attempts, red flagging unusual activity
  4. Utilization of the registration of devices to the application, which would red flag the legitimate users attempts and when the organization is notified, the old version would be unregistered, red flagging unusual activity

Summary
Emerging technologies have and will continue to be introduced into banks at an ever increasing pace. While emerging technologies generally bring many improvements to the institution and their customers, the technologies also bring risks to the organization. An important step in the implementation planning phase is to identify the risks associated with the technology and control measures that need to be introduced to minimize the risks. Only when the risks have been accounted for and their implementation costs included in the overall plan will an institution have a good understanding of the total costs and the impact of the technology on their risk posture.

For more information, please contact McGladrey Managing Director Loras Even at 319.274.8541.

AUTHORS