Launch of risk review by PRA is encouraging sign that the financial services industry is taking increased complexity and industry change seriously, but more still needs to be done says Reuven Harrison, CTO, Tufin Technologies
As high-profile data breaches and system failures continue to hit the headlines, organisations’ network security is coming under increasing scrutiny. Nowhere is this more true than in the financial sector. Customers, shareholders and regulators all want assurances that companies are doing all they can to mitigate the risk of service outages and information security breaches. But the increasingly complex nature of IT networks, and the growing threats they face, means companies’ traditional, manual approaches to IT security are no longer effective.
The main cause is the growing complexity of organisational networks. Large businesses rely on multiple data-centres that are driven by hundreds, often thousands, of firewalls, routers, switches and load-balancers of varying ages and types. All of them must be set up and monitored properly.
The move to virtualised environments (where a single physical server can host several ‘virtual’ machines) only compounds this complexity, as does the use of cloud computing in its various forms. Add in the typical piecemeal mixture of creaking legacy IT systems and it can be very hard to understand, let alone secure, an organisation’s increasingly disparate and segmented networks manually.
The pressure on IT departments to meet both employees’ and customers’ ever growing demands to introduce new services and features, accessible on all manner of devices, brings yet further challenges. When the business requests changes to applications like CRMs or SAP, these invariably entail making a host of additional tweaks to network security and firewall settings.
Recent research commissioned by Tufin found that in a quarter of financial organisations with more than 1,000 employees, 60% of network changes are related to applications – a figure which is only likely to increase as the demand for online and mobile banking swells.
Perhaps not surprisingly in this landscape of complexity and constant change, slip-ups are common. A quarter of respondents admitted to having to redo more than 60% of their firewall changes because of human error. In addition, over a third (36%) of financial services companies said they experienced more than five firewall outages in the last 12 months – and more than one in six (17%) suffered 11 or more.
For financial services businesses, which operate in the world’s most heavily regulated sector, this situation is clearly not sustainable. Compliance requirements not only add to the pressure on IT resources, but dramatically increase the business risk of not addressing the problem. For example, version three of the payment card security standard PCI-DSS, which came into force on 1st January, specifies in even more detail how organisations need to manage security and firewalls if they are to remain compliant, with significant financial penalties for those that fail.
And the compliance burden is only going to become more onerous, particularly in the wake of recent high-profile outages that have left consumers unable to access their money. In March, UK regulators the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England launched a joint review of how financial services businesses manage their exposure to IT risks.
In a subsequent interview with The Independent in April, PRA chief executive Andrew Bailey very publicly called on the financial industry to renew IT systems and improve security in order to prevent outages and protect against the burgeoning number of threats from malware and criminal hackers.
Similarly, an EU report in March looking at risks and vulnerabilities in the European financial system devoted an entire chapter to operational risks from IT systems, concluding: “In order to mitigate operational risks from IT infrastructures, financial institutions should reinforce internal controls related to IT systems, with particular attention to IT security and cyber-resilience, and focus on developing sound IT governance practices within their risk management framework.” It also made clear that regulators should conduct rigorous inspections and assessments to ensure the robustness of these controls.
Clearly, to manage IT and network security with the level of rigour necessary, a new approach is needed – and most financial organisations recognise this. Tufin’s survey found that 84% of respondents in the financial services sector believe coordination of security policy across the entire network is now “essential”.
While the PRA’s Bailey has said he wants to see a complete renewal of banks’ and other financial businesses’ IT systems, the massive investment and effort this requires means the task will inevitably take several years.
We are already seeing an increasing move to what is known as a ‘software defined’ networking environment, where systems and settings can be rapidly changed without the need for direct human intervention.
Again, the industry recognises this, with 70% of Tufin’s survey respondents saying they believe network management will become increasingly automated over the next few years
But it will take a while for these new technologies to mature, and in the meantime companies need to begin integrating and automating controls across a wide variety of systems, old and new – not just to better secure their networks and meet compliance requirements, but so IT departments can free up resources to concentrate on activities that bring more value to the business. They also need to improve network segmentation practices to protect sensitive data like card data from cyber-attacks.
Financial services firms can’t afford to wait any longer, and the smarter ones are already automating their security controls using what are known as security policy orchestration (SPO) tools. These can centralise the management of global security policies, automatically provisioning application connectivity requirements, right across an organisation’s disparate networks. In addition, they can automate the design and implementation of network changes, as well as improving collaboration by allowing the business to easily segment network traffic that cut across disparate teams and business units.
As automation begins to pervade the sector, overall network security will improve and outages will begin to dissipate. Just as critically, though, financial services IT departments that make the move effectively will be free to innovate for the business at an unprecedented pace. And that should mean they’re no longer in the spotlight for their poor show – but because they have a starring role in the company’s successful performance.