Nick Hammond, Lead Adviser for Financial Services at World Wide Technology, highlights the need for Financial Services to take a future-proof approach to security as cyber breaches rise
Nearly half the businesses in the UK have fallen victim to cyber-attacks or security breaches in the last year, costing them each thousands of pounds, according to new data from The 2018 Cyber Security Breaches Survey shows. Forty-threepercent of businesses reported cyber security breaches or attacks over the last 12 months, highlighting the growing need to future-proof against cyber breaches.
Investment in cybersecurity by finance and insurance firms doubled in the last year, and 51 percent of businesses have implemented all the five basic technical controls listed under the Government endorsed Cyber Essentials scheme. While this is certainly a step in the right direction, it is not enough to keep modern IT systems secure.
Years ago, banks’ traditional legacy systems were not particularly difficult to protect, even if their internal architecture was complex. Vital data sets were typically kept inside the main structure, meaning that critical systems and data could be secured by a firewall surrounding the system perimeter. But the shift to digital systems means that data and applications within a bank or financial organisation are no longer locked down with limited access in and out of the data centre.
The idea of having a fixed perimeter around a data centre – which you could protect with firewall technology – first began to shift just under a decade ago. Changes to the way financial services use technology means that information cannot simply be kept on a closed system and protected from external threats by a firewall. In today’s digital world, data is now shared between thousands of locations.
Multiple third parties, such as credit ratings and interbank payment services, need access to this data to provide their services. It is also shared with employee and customer devices through mobile banking apps and bring-your-own-device (BYOD) solutions, which have proved a challenge for many financial organisations.
Banks are now faced with the challenge of a rapid rise in users interacting with their systems, making it impossible to simply draw a firewall around the IT infrastructure and thereby protect the data they hold.
In addition, the predicted explosion of connected devices – expected to reach 20.8 billion globally by 2020 – leaves IT systems much more vulnerable to attack, making it crucial to rethink the approach to security. The advent of online and mobile banking, cloud computing, third-party data storage and apps is a double-edged sword. While enabling significant innovation and advances, they have also created a perimeter that is very difficult to define. This means that financial companies must take a holistic technical approach to cybersecurity, which involves resisting attacks at the endpoint, network, cloud and application layers.
There is also a growing trend for applications (such as SWIFT, the interbank payments software) and a bank’s underlying IT infrastructure to be managed by different teams with little or ineffective communication taking place between them. While the promise of new software applications available through cloud-based providers holds huge promise for organisations, the risk of cyber breaches sky-rockets and the task of securing critical systems is made much more complicated and challenging.
For finance and insurance firms, investing in and installing new security products is simply not enough. In fact, implementing such products without an understanding of the way each critical application is functioning in relation to the wider system is a futile investment and risks devastating internal disruption. It is becoming increasingly common for financial services firms find themselves in complicated situations by hastily investing in security products and then suddenly arriving at the realisation that their chosen products cannot be effectively implemented into the already existing infrastructure. In the worst-case scenario, this poses a serious risk to organisational security.
Gartner predicts that throughout this year, 90 percent of organisations will lack an application integration strategy. but to wrap policies around applications, visibility of how applications are interacting within an organisation’s infrastructure is essential. Without this, the company may find that a security policy creates a series of repercussions by stopping one application from talking to another.
To avoid this fate, companies can install new applications on a production network, which involves creating a test environment that emulates the “real” network as closely as possible. Financial players can create a software testing environment that is cost-effective and scalable by using virtualisation software to install multiple instances of the same or different operating systems on the same physical machine.
As their network grows, additional physical machines can be added to the test environment so that it continues to simulate the production network and allows for the avoidance of costly mistakes in deploying new operating systems and applications or making big configuration changes to the software or network infrastructure.
If they are to truly tackle threats of cyber breaches in a future-proof way, banks and financial services firms need a bespoke security policy that traces every interdependency within their systems and adapts protection policies to fit the complexities of the system. This will need to be led by business application owners and risk and compliance officers who can speak from the top down about how each application needs to function and what the regulators require.