In February, a billion-asset Midwestern bank installed a temporary wireless network during the construction of a new headquarters. Within days of adding these devices, which were intended to connect its new and old buildings, a hacker rendered the entire system completely useless.

"We couldn't even dial in," said a bank officer, who spoke on condition of anonymity. Plus, he said, there was a chance that account information could have been stolen.

"We had to install a completely new system," he said. And though the new devices improved security encryption, they cost four times more than the originals.

The experience underscores how, even with up-to-date equipment, many banks have an inadequate grasp on information security. "No system is foolproof," said the Midwestern banker, who discovered the hard way.

Given the rise in hacking incidents and the threat of cyberterrorism, government officials have taken a closer look at banks' security standards. As a result, both state and federal examiners expect institutions to have a written information security plan in place.

Transactional Web sites are one area of concern. Beginning with the March 31 Call Reports, federal banking regulators are requiring financial institutions to state whether their Web sites have transactional capabilities. "Transactional Web sites present greater security risks to a bank than sites that provide only information to customers and the public," the Federal Financial Institutions Examination Council said in announcing the new requirement.

Identity thieves are also a threat to banks. ID theft rose 142 percent from 2000 to 2001, according to the Carnegie Mellon Software Institute. The most recent Carnegie study suggested that community banks, which lack sufficient technology budgets, may be at greater risk than large, national companies.

In addition to these issues, cyberterrorism is a very real problem. In one day alone, immediately after the United States declared war on Iraq, more than 400 American Web sites were rendered useless by cyberterrorists, according to a report on Dow Jones Newswires.

All of these factors reinforce the need for banks to protect their information.

In response to increased threats and regulatory scrutiny, during the past three years hundreds of network and Internet security companies have cropped up across the United States. The sheer number of players can be overwhelming for a banker seeking a service vendor. "Even consultants have a hard time sorting through the information available," said Joel Lanz, an independent consultant and certified public accountant in Jericho, N.Y. Lanz, a former partner at Andersen Consulting, has tracked related information for more than 10 years.

Today, the world's largest "firewall" companies include Symantec, Internet Security Systems, RedSiren, Cisco and IBM. These companies create software that protects incoming and outgoing Internet and network connections.

It is not uncommon for small, local vendors to act as resellers and subservicers of the firewall and encryption products offered by these top players, according to several sources. However, a comprehensive security vendor should provide 24-hour monitoring, port scan reports, protection for all incoming and outgoing connections, and more, according to Michael B. Bernardo, chief of E-Banking for the FDIC's Division of Supervision.

In selecting a managed information security vendor, it is important for bankers to recognize that each vendor is different, with a distinct menu of products and services. Here are some key things to consider in choosing a vendor.

Look for Strong Financials. Because few information security vendors are public companies, it may be difficult to tell how the company is performing financially. Last year one of Dollar Bank's technology vendors filed for Chapter 11 bankruptcy protection. Though Dollar was protected, the $4.8 billion-asset bank in Pittsburgh painfully learned that even a reputable company can fall on hard times. Remember: Annual financial reports for nonpublic companies are generally not available, so it is important to conduct due diligence in other ways.

Abe Nader, Dollars senior vice president and chief operating officer, normally asks for a list of local and national clients to get an idea of the company's strengths. He also asks his head of credit to review the company's financial information. "We treat them as if they were asking for a loan," Nader said. "We also have covenants that protect us against bankruptcy."

Get a Regulatory Stamp of Approval. The FDIC, OCC and OTS regularly examine the larger security vendors for compliance and soundness. Most larger security companies are reviewed by the agencies, the FDICs Bernardo said. However, unless the agencies uncover significant problems within a company, these reports are not made public, he explained. Hence, in selecting a vendor, it is important to do your own due diligence. Once you have a signed contract in place, the agencies will release details regarding your selected vendor, Bernardo said.

It is crucial to look for a vendor that can provide good customer recommendations, according to Nader.

Bert L. Chesterton, vice president of security at $1.4 billion-asset Cambridge Savings Bank, said that banks should also request a SAS 70. This certificate shows that the vendor has the appropriate certifications and backup systems.

Demand Constant Monitoring. Many financial institutions hire their own information technology staff to monitor networks without putting in place official standards, Lanz said. Few community banks have a staff or vendor that monitors network intrusions round the clock.

"This is a dangerous choice...because if I'm a hacker, I don't care about nine-to-five," he explained. Banks that do not monitor systems 24/7 are opening up critical information to hackers, he said.

Most vendors who provide constantly staffed, round-the-clock monitoring describe their services as "managed security." However, this term varies from company to company. Be sure to clarify exactly what 24/7 coverage means when speaking with potential vendors, Lanz said.

Add Contractual Protections. Because there are so many startup companies in the field, several industry experts interviewed for this article said they expect consolidation among smaller security companies during the coming months and years.

"Make sure your contract includes provisions to protect your bank in case your security provider is sold to another company," said Barry Thompson of Thompson Consulting Group.

Glen Roos, Dollar Banks vice president of data processing operations, said these provisions should ensure that an institution will have continuous security services, without even the slightest gap. "Otherwise, too many companies will try to make up for an outage with a credit at the end of a contract," Roos said.

Require Regular Updates. All security vendors should provide regular updates of their firewall software. Your contract may also stipulate a monthly, biannual or annual review of all wireless and land access networks, desktop computers, and Internet server connections. These three areas are the key elements in structuring an effective technology security program, according to Steve Nogle, vice president and MIS director for $1.2 billion-asset First Federal Lakewood near Cleveland.

Frame networks are considered slightly more secure than T1 lines, said Lawrence Levine, managing director for SecurePipe, but no network is infallible.

Understand the Risks of Instant Messaging. According to IDC, 180 million users will pass 2 trillion instant messages annually through firewalls by next year. Instant messaging, or IM, allows computer users to talk to one another in real time. But as corporate IM usage increases, so do network and information security concerns.

IM software is widely available and is difficult for information technology departments to manage. Even when used for legitimate business purposes, proper authentication, access control, and anti-virus protection are critical concerns.

Face Time, based in Foster City, Calif., is one company working to combat this trend. The firm recently released IM Auditor Enterprise, which enables businesses to centrally manage instant messaging which occurs within a company to retain control of sensitive information that might otherwise leak to unauthorized persons. Face Time has a partnership with McAfee that makes it possible for IM attachments to be scanned for viruses before they reach recipients behind the firewall. Face Times customers include large banks such as Bank of America and Citigroup.

The listings that follow describe several companies that market their products and services to community banks. While the list is not exhaustive, it provides a general overview of some of the key players within this burgeoning industry. It includes both national and regional companies.

For the purposes of this article, information security encompasses a host of terms, ranging from Internet and network security to data encryption and individual PC or workstation monitoring.

Compuquip Technologies

Miami

(305)436-7272

www. compuquip. com

Preventing intrusions and managing information technology for 50 banks and their Florida branches accounts for roughly half of Compuquip Technologies' business. Founded in 1981, the privately held company also serves nonbank corporations and state and local governments. Security products include the sales, integration, monitoring and support of off-the-shelf products from Checkpoint, Nokia, ISS, Symantec, ESafe, Surfcontrol, NetIQ and numerous other security product manufacturers. The company performs services such as security assessments, policy development, penetration studies, and installing, tuning, monitoring and modifying security products. Pricing varies by engagement. Trained security professionals can be stationed directly at the bank or at the company's headquarters. Compuquip works with Microsoft, Novell and Linux operating systems and runs on Intel platforms.

Foundstone

Mission Viejo, Calif.

(877) 91-FOUND

www.foundstone.com

Foundstone's managed security offerings for financial institutions combine proprietary software, services, and education to help customers mitigate and manage digital security risks. Sixteen percent of this privately held company's clients are financial institutions; it also serves small businesses. Founded in 1999, Foundstone also offers security planning, design and policy development. Its Enterprise Risk Solutions inventory and prioritize network assets. Consultants then identify vulnerabilities and threats, with continuous feedback on how systems may be improved. Foundstone performs customer vulnerability scans from an operations center. Customers log in to a Web portal to receive real-time reports, without incurring internal implementation and administration costs. Pricing depends on products and services selected.

Internet Security Systems

Atlanta

(888) 901-7477

www.iss.net

Internet Security Systems (ISS) says it is the security provider for more than 11,000 corporate customers worldwide, including all of the Fortune 50. The company (NASDAQ: ISSX) does not disclose industry-specific breakdowns of its client rosters, but says it serves several of the country's largest banks. ISS' Dynamic Threat Protection products and services help banks detect, prevent and respond to threats before they become active attacks. The company's Managed Intrusion Protection Service monitors client servers and network traffic for potential threats and misuse. It protects networks, servers, applications and databases and offers firewall products. Pricing for its security solutions depends on the product and the volume of devices that need protection. ISS relies primarily on its proprietary RealSecure technology. ISS products run on Windows NT, 2000 and XP, Linux and Unix.

Network Associates

Santa Clara, Calif.

(972) 963-8000

www.networkassociates.com

Network Associates' firewall products are a household name among computer users. The company owns McAfee, a market share leader in anti-virus software, and is a leading provider of network security technology around the world. Network Associates (NYSE: NET) says it does not release statistics on its customer base, but many large banks and security vendors use its products. The company consists of three businesses: Sniffer Technologies, Magic Solutions and McAfee. In addition to its widely used VirusScan and NetShield software. MacAfee also offers managed security services. Sniffer Technologies offers network monitoring. Founded in 1989, the parent company's NAI Labs team and McAfee AVERT (Anti-Virus Emergency Response Team) constantly research global virus outbreaks.

Perimeter Internetworking

Trumbull, Conn.

(800) 234-2175

www.perimeterco.com

Community banks are the focus for Perimeter Internetworking, which began offering security defense services in 1999 and now boasts 74 community bank clients with assets ranging from $33 million to $4.9 billion. (Perimeter also offers services to nonbanks through a sister company.) Founded in 1997, the privately held ACB Associate Member offers managed security in a centralized environment. The company actively monitors and defends against attacks. Pricing is based on the number of computers to be defended, and number of add-on functions needed. The Standard Defense Services package starts at about $2,000 per month, according to Chief Executive Officer Brad Miller. It includes a hosted 24/7 firewall with intrusion detection, inbound e-mail virus protection, and help desk support. It also includes quarterly reporting, testing by a third party, and a regulatory compliance guarantee. Perimeter also offers a "slimmed-down" version that starts at about $1,000 per month for banks with lesser reporting and regulatory needs.

Red Siren

Pittsburgh

(877)360-7602

www.redsiren.com

Before 2002, Red Siren was focused exclusively on community banks. Today, its 300 bank clients, primarily in the western United States, account for a significant portion of its more than 800 clients on three continents. Most of its bank clients have more than $500 million in assets. The privately held company focuses exclusively on managed IT security. Its specialties include front-end planning solutions, such as helping companies design practices to educate workers on security issues and firewall management. Red Siren helps banks develop and evaluate security policies, conduct vulnerability and penetration tests, and comprehend Gramm-Leach-Bliley Act compliance benchmarks. It maintains open source offerings from Cisco, Check Point, ISS, Symantec, Enterasys, and RSA. Vigilance is RedSiren's proprietary technology.

SecurePipe Communications

Madison, Wis. (877)248-1632

www.securepipe.com

SecurePipe, an ACB Partner, provides three-tiered security solutions that combine managing, monitoring, and maintaining network security. "We work with our customers to define and implement a profile that meets their security requirements. Then we watch the traffic that is affected by that policy. When we see something that is outside that policy, we take defined actions to do appropriate incident response," said Lawrence Levine, managing director of SecurePipe. A private company founded in 1996, SecurePipe has almost 100 community bank customers, ranging from $50 million to several billion in assets. The firm has customers from a wide variety of industries, but primarily focuses on community banks. SecurePipe sells a service, not a product, according to Levine. "If a bank is buying something that is based on a particular product, and that is all they have, then they are only getting a very small piece of the overall puzzle," he said. SecurePipe provides a detailed breakdown of all pricing on its Web site. Costs are determined by the number of users and the specific Internet risk profile of the bank. Substantial discounts are available to ACB members.

Secure Works

Atlanta

(877) 905.6661

www.secureworks.com

SecureWorks provides managed Security services to 150 banks and credit unions-a sizable part of a client base of 350 companies that also encompasses healthcare and utility companies. Founded in 1999, the privately held company provides intrusion prevention products (both network and host based), managed firewalls, and vulnerability assessments. Pricing is based on the number of users on the network protected, or as in the case of Host-based Intrusion Prevention, the number of servers protected. The company is in constant communication via an encrypted channel over the Internet with all of its managed devices. In addition to monitoring these devices, the company receives real-time notifications of attacks, and new vulnerabilities. The company's software is Linux based and operates with Dell Power Edge 350 hardware. Typically, upgrades are part of the service. Pricing is based on the number of users.

Symantec

Cupertino, Calif.

(800) 745-6054

www.symantec.com

Symantec (NASDAQ: SYMC) is one of the world's largest and oldest Internet security companies. This company has been around since 1982 and is known for its Norton antivirus software. According to company sources, more than 480 of the Fortune 500 companies rely on Symantec's security solutions. These clients include some of the world's largest financial institutions. The firm also provides gateway, and server products and consulting for virus protection, firewall, real-time network monitoring, vulnerability management, intrusion detection, Internet content and e-mail filtering. Symantec has developed several remote technologies to assist its clients when there is no local office nearby. Its vulnerability management solutions are designed to help customers create and enforce policies. Their consultants work from a central location and constantly probe for network vulnerabilities while suggesting remedies. Pricing varies, depending on the type of software and monitoring chosen.