By James Ward, Senior Cyber Consultant at MASS
The finance sector is typically more developed than others when it comes to implementing security measures. This is partly due to it being targeted by a diverse range of threat actors who are some of the most advanced, and also because the threat is so great – even the smallest breach has the potential for significant impact monetarily, or on market reputation, perception or confidence.
Ideally, an organisation’s critical assets should be surrounded by layer upon layer of security measures, all working together so that if one layer is removed or breached, the business’ most valuable assets are not compromised. Too often however, organisations take a siloed approach to security – viewing physical, cyber and personnel security as separate entities, where in fact they are more inter-related than many imagine.
It’s therefore vitally important that security measures are considered holistically and are led and understood by senior management, otherwise gaps for exploitation can be found by intelligent and experienced actors, supported by an ever-growing arsenal of exploitation technology.
Based on the approach MASS takes with public sector and defence organisations, we’ll now consider the security measures which should combine as part of a holistic approach.
It might seem obvious, but the first and fundamental consideration should be physical access to a site. For all organisations, this step remains vital – even in the finance industry where physical security principles have long been established.
You should consider the basic question of how an intruder could gain access, starting by reviewing the ‘perimeter’ controls. Indeed, organisations should even question what their perimeter is. With the potential for distributed site facilities, linked remote assets, and supply chain dependencies, this simple question must be answered.
To define where a ‘perimeter’ really lies, the use of scenario-based analysis, threat actor personas, motivations and objectives can be useful. It’s also an invaluable methodology for exposing how an organisation could be exploited.
The physical security stage should also involve a review of physical controls such as fencing, access technology, CCTV coverage etc., including their role in the deterrence and detection of hostile reconnaissance activities. Disrupting the planning cycle of attacks is often overlooked relative to direct prevention of unauthorised access.
That being said, security measures can only be as effective as the people applying them, so an understanding of human behaviours is essential. It’s important to consider how people’s actions affect overall site security and to question why these actions occur.
Simple mistakes like staff wearing security badges in the street could lead to unforeseen issues while poor motivation or effectiveness of roving security staff or those monitoring CCTV may also cause warning signs to be missed, demonstrating that innocent human mistakes could form the seed of future security breaches.
The finance sector’s cyber resilience has advanced considerably, as it’s adapted to threats over the years. But the evolution of the finance industry itself poses new challenges; businesses range considerably in size and new forms of financial transactions provide new opportunities for cyber exploitation. Exploitation toolsets and associated managed services are now more readily available at a lower cost, reducing the financial and technical barriers to advanced cyber-attacks.
The levels of cyber security in the financial sector must be retained, taken to a new level, and existing assumptions continually challenged.
For example, penetration testing regimes are a vital tool in mitigating network cyber risk (including ‘CBEST’ which has been widely rolled out across the finance sector) but have limitations given they are just a snapshot in time. They offer us a valuable depth of analysis within a network but can be constrained in breadth of scope and potentially leave vulnerability blind spots. Very frequent, lighter-touch cyber assessments can fill this gap as they offer a more dynamic view of ongoing vulnerabilities over a wider proportion of the estate, which could represent ‘low hanging fruit’ for the cyber actor. Assessments can be enhanced by applying modern threat intelligence techniques to rapidly identify existing compromises and potential weaknesses (including personnel and corporate digital footprint). This establishes a picture of cyber posture and vulnerabilities before any testing taking place.
End-user device security is also often viewed in terms of its encryption strength, keys etc. Modern methods of fault injection attack (a device’s response to artificially applied ‘fault conditions’ used to derive security credentials), though are able to bypass these assumed security measures, whereas it would take decades to ‘crack’ using more traditional computer power. This means it becomes important to test a device’s vulnerability to fault injection, rather than falling back on the old assumptions for protection.
To take a holistic view, it’s also important to examine the wider supply chain. The finance sector relies heavily on a network of suppliers of digital telecommunications and energy services, and when a network this complex is interconnected, it’s challenging to pinpoint cyber resilience risks. However, identifying ‘hot-spot’ concentrations of dependencies that represent single-point failures within the complexity of the overall business can allow you to filter the complex information and establish risk effectively.
The insider threat
Those who might misuse legitimate access to an organisation’s assets for unauthorised purposes are known as insiders and their threat is often overlooked when considering the overall cyber risk.
For those in the financial sector, personal financial gain could be a particular incentive to potential insiders, while security controls are now so effective that one of the only ways to circumvent them is for hostile actors to exploit those with legitimate access. It can help to think of insider threat as the ‘grand master skeleton key’ of security, as the right insider, or team of insiders can overcome almost all security measures. Security compromises involving insiders also tend to have a disproportionately high business impact.
Yet many organisations overlook insider risk, assuming that pre-employment screening is enough to deter employees and failing to recognise the wide range of risks from genuine human error, through to orchestrated insider activity by paid professionals. Insider cases are typically individuals who have been with an organisation for some years and could have had a personal vulnerability exploited or exposed, or simply become disgruntled with their employer.
It’s a broad area to address and can be more challenging to enforce than other security measures. Internal governance, security culture, employee wellbeing, employment measures, corporate digital footprint, and perceived employee sentiment are some of the aspects that should be considered. Once these internal factors have been addressed, organisations should then make the same assessment of their supply chains.
If the business is sufficiently committed to its security, structured analytical methods can quantify their maturity and assess where the key vulnerabilities and risks could lie. This extra level of understanding can enable improvement, and when it comes to security even small changes can make a big difference.
Consider your dependencies
It’s clear that security is a vast network comprising many different aspects and as such, if not considered collectively, some areas can fall through the cracks.
All businesses have particular dependencies which shouldn’t be overlooked. Your own environment may be protected, but if data is shared with suppliers or partners, is it still secure? If a supplier or partner has a security breach, does that affect your operation?
When assessing security measures, it’s essential to go an extra layer deeper and consider how a range of factors could impact your organisation and its readiness to respond to an incident.
At MASS, our security experts consist of professionals with extensive experience in preventing security breaches and performing assessments in accordance with Ministry of Defence processes, so that we can ensure our security analysis meets and exceeds industry best practice.
How to use data to protect and power your business
By Dave Parker, Group Head of Data Governance, Arrow Global
Employees need to access data to do their jobs. But as data governance professionals, it’s our job to protect it. Therefore, we must perform a fine balancing act to weigh robust data protection against the productivity of workers who need the data to maintain business-as-usual working processes.
Data grows exponentially, and most organisations will admit that they simply don’t know what data they have, where it is, and the controls that exist around it. This creates 2 challenges:
- Burgeoning amounts of unstructured data makes the business increasingly vulnerable from external attackers or internal data breaches.
- Because data is the key to understanding a customer’s wants and needs, if the business can’t identify its data and unlock its value, it’s at a competitive disadvantage.
As a European investor and alternative asset manager, here at Arrow Global we take care of £50bn of assets and own a data estate exceeding 160TB. How we manage our data is key to our success. We understand the difficulties involved in opening up environments to allow people to work productively, while at the same time locking them down to protect our organisation.
When it comes to analytics, I believe that Arrow is highly proficient because we employ a talented team of data scientists. But even for us, the sheer volume of raw and processed data, that resides in both our structured systems and unstructured data repositories, has the potential to put our business at risk.
We know there’s always more that can be done to strengthen our security posture and ensure regulatory and contractual compliance, while at the same time using our data to drive the business forward.
Data protection isn’t just about compliance
For many organisations, data protection has centred on demonstrating compliance with the GDPR. At Arrow, our efforts have gone one step further to include our contractual exposure.
Being a more mature data organisation, we had previously tried to develop an application in-house to manage our data estate. However, with 160TB across the company in production data alone, we simply couldn’t achieve the scale we needed to handle the sheer volume of data. Of course, the volume is just the start – once you know what data you have, you then need to be able to categorise the data and put it into a structure, so the business can analyse it for a specific use case.
We knew we needed to go to market to find an industrial-strength data discovery product to replace our in-house application. By aligning our choice of product to our overall IT and change strategy, meant that ultimately, we ended up with a far better outcome than we’d anticipated.
Position data as both a risk and an asset
Data touches every part of an organisation, so when it came to building a business case for buying-in a data discovery software platform, we approached it in a way that would speak to different people at the same time. We did this by posing the question:
“What do we want to do with data in a way that is GDPR-compliant, contractually-compliant and enables us to better service our clients?”
These are the black and white tests of data governance – to recognise the importance of securing and protecting data. They’re applied in a way that enables us to commoditise data and use it to drive the business forward, by forcing us to consider how we would use the data – for example, creating value-based pricing for our clients.
In aligning the business case to initiatives that were already priorities within the boardroom, we knew that we’d gain the attention of the senior leadership team and it would be easier to get the buy-in and budget we needed. And in the end, everyone wins – we get what we need to protect the data, and the business gets to distil the data’s value to better meet our customers’ expectations.
Get visibility of data at scale
For us, things got really exciting once we were able to see all of our data at scale. We chose Exonar because it allowed us to discover our data in ways that other products couldn’t. And the interface between the user and Exonar meant that everyone – both technical and non-technical users – could understand the technology and the findings it revealed.
When we saw exactly what data was in the estate, where it was and who had access to it, data security became much easier and the risk of data being compromised was dramatically reduced. We can see exactly where the vulnerabilities are and restructure how our data is stored to strengthen security. Then over time, we can use search, workflow and analysis to optimise the infrastructure and continually identify new areas to improve.
Commercialise the data
From a wider-business perspective, once people can see the data, they can start asking “What if…” to query it and distil its value. But it’s more than just the data itself. It’s not uncommon for data relating to the same thing to exist in unconnected systems across the business. For example, customer interactions and incidents or events.
Exonar is capable of joining the dots in disparate data sets. By stitching these data sets together, we can get a better overall view of our customers and use the outcomes to think of new, different or better ways of serving them through enhancing or adapting our offerings.
Why other financial services businesses should also take a smarter approach to data
- By changing the way you approach data, you can use it to protect and power your business and the people you serve.
- By positioning data as both a risk and an asset, you elevate its position to give it priority in the boardroom. Ultimately, it’s data that helps the business make informed strategic decisions about how to strengthen its competitive advantage.
- By gaining visibility of data at scale, you can see exactly what data you have and where it is. This gives the business confidence about the actions needed to ensure it is secured in both a regulatory and contractually compliant way, and that people are doing the right thing with data at all times.
- And joining different data sets provides you with a single view of ‘X’ within your data, no matter where it is. Helping to support your wider-business strategy and priorities, it gives you the information you need to secure a business advantage and generate value.
How business leaders can find the right balance between human and bot when investing in AI
By Andrew White is the ANZ Country Manager of business transformation solutions provider, Signavio
The digital world moves quickly. From keeping up with consumer behaviour patterns, to regulation and compliance, the most successful organisations are always on the cutting-edge of technological developments.
However, when it comes to investing in artificial intelligence (AI), a hard and fast strategy does not guarantee a top spot amongst the league of tech greats. Instead, it pays to take a considered approach to balancing reliance on automated processes with a human touch. Why? Because creative and strategic thinkers are the true propellers of innovation; automation is simply the enabler.
The International Monetary Fund (IMF) developed the ‘Routine Task Intensity’ (RTI) index as a measure of which processes are likely to benefit most from automation. According to this metric, jobs requiring analytical, strategic, communicational and technical skills score low on the RTI index, while simple, repetitive tasks scored highly.
The lesson for business leaders here is simple; your digital investments are just as important as your stake in talent. When deciding which processes to automate, start simple, and remember to value the skills and potential of your people.
Keep customer-centricity at your core
Customer-centricity means that every business decision, dollar spent and new hire is centred on one question: how does this benefit my customer? Investments in AI are no different. To be truly successful, they must have a customer-focused outcome.
Where companies get this wrong is by implementing cost-saving measures or ‘copy and paste’ software that fails to improve the customer experience – often having the adverse effect.
Take the virtual chat-bot, for example; if implemented poorly, it can send your customers into a frustrating and seemingly infinite cycle of dead-ends. The modern consumer is far too digitally savvy for this shortcut, and will quickly move onto the next merchant offering a more seamless customer service experience.
To guarantee your investments are delighting rather than infuriating your customers, it helps to take an outside-in perspective of your business processes, aided by Customer Journey Mapping (CJM).
Before you commit to digital investments, CJM can trace and map each customer touchpoint, signalling pain points or conversion rates throughout their journey. These data-driven insights lead you to the areas that would benefit the most from automation, instead of implementing a broad band-aid solution.
Avoid the ‘set and forget’ method
When investing in enterprise-wide AI, the ‘set and forget’ method rarely works. Real transformation requires an ongoing dedication to refining and improving AI-driven processes, as well as adapting them to the evolving needs of your customers. This is the best way to achieve customer loyalty, by proving that your organisation listens to, and understands its users.
A human perspective is invaluable here, paired with process mining – a method that thrives on finding process inefficiencies – to create a consistent feedback loop of improvement.
During periods of uncertainty, customer loyalty is everything, so aim to protect it at all costs.
The power of your people
The rise of automation can be linked to the corporate world’s obsession with speed and efficiency. However, the psychology behind this goes deeper than being the biggest and fastest producer; it’s also about reallocating resources into attracting and retaining the brilliant minds that drive companies into the future.
When communicating digital change, it’s critical to highlight the valuable impact AI has on augmenting jobs; removing the burden of mundane, repetitive tasks and allowing for more strategic skill-sets to shine through. For lower-skilled workers, invest in upskilling or re-education where possible.
Successfully rolling-out digital transformation plans means that every employee across all tiers of your company understands the value of AI. The starting point here is education to achieve buy-in. Change communications must be accessible, constructive and value-focused, supported by key culture influencers who champion automation within teams.
Enterprise-wide buy-in is an important element of refining and improving digital processes, as cross-functional collaboration can offer valuable insights into common pain points or inefficiencies ripe for automation. Supported by process mining, collaboration provides a holistic view of how each investment will impact other processes. There is no point investing in automation that streamlines one process and makes another more people-centric, so be sure to take a balanced approach to your investments.
Remember, AI is not about creating an army of robot workers; it’s about increasing efficiency and productivity so that an organisation, and its people, can work smarter.
Are you a fighter or a freezer? The 4 “F’s” of Surviving Danger
By Dr.Roger Firestien, Author of Create In a Flash.
The fight, flight, freeze survival response – or FFF for short – is designed to mobilize our brain and body to fight an enemy, run from a tidal wave or freeze to hide from a predator.
FFF is how humans react when they encounter a dangerous situation. It is a primal response that happens instinctively even before we are able to think about the situation we are confronting.
The FFF alarm causes our brain to focus on negative memories, probably to scan them to avoid repeating dangerous situations and negative outcomes. We get tunnel vision as our pupils dilate to increase our focus and long-range vision, but as a result we lose our peripheral vision.
Humans use the FFF response and so do organizations.
When organizations encounter dangerous situations, like, say, trying to survive a global pandemic, they can respond by either fighting the situation, fleeing from the situation, or freezing and waiting for the situation to pass.
I would like to propose a fourth strategy for organizations to deal with a danger like the pandemic. It is the fourth “F.” The farm response. More on that later.
What kind of organization is yours?
The fighter organizations were the ones that fought the idea of a global pandemic or pushed back against the research that reported how serious the virus was. Think of the meat processing plants that didn’t provide proper protective gear or the religious organizations that refused to take a break from large services.
The results were catastrophic for the organizations and deadly to the employees and worshippers.
It is pretty easy to identify the fleeing organizations. You don’t see them anymore. Unfortunately, this is the organization that just doesn’t have the resources or the energy to fight. You will recognize them by the “For Rent” signs in the windows of the buildings they used to occupy.
The organizations that freeze are a little more difficult to identify. They are still around but are frozen by fear. They are the organizations that, although they are in a position to move forward, are too frightened to take a risk or even look at the periphery of their business. Their tunnel vision blinds them to opportunity. The freezers hide and wait for the danger to pass. They are the ones who miss out on possibilities.
For example, if you are in the business of supplying concessions to sporting events, airports and national parks, your business is in deep trouble now. So, what are some ways to keep people buying food and drinks with so many venues closed?
Many national parks are now open and visitors need to eat. How can you sell food while supporting social distancing? Answer: Sell picnic meals to your patrons. And, sell a blanket that commemorates the park that diners can spread out and have lunch while social distancing with their families. Then, they’ll keep the blanket that reminds them of their visit to the park.
Sound like a good idea? It sure does. You can keep your park concession business, allow people to social distance and add to your product line with that commemorative blanket. Did the company implement the idea? Unfortunately, they did not. They froze and missed the opportunity.
However, businesses are finding ways to optimize their organization and capture opportunities. They are the farmers. The farmer organizations study the situation, just like farmers study the weather and the land. They look at the resources available to them and get to work.
Farmer organizations pivot and get creative.
Distillers, who before the pandemic, were making vodka, whiskey, gin and other spirits quickly changed their operation from distilling booze to distilling sanitizer.
Telemedicine, which had limited acceptance before the pandemic, almost immediately became the accepted way to deliver care. Now, the doctor comes to you.
Fitness trainers are conducting their sessions via Zoom or in person outside on sidewalks in front of their gyms so they can social distance.
My favorite ranch, SK Herefords, sells their beef at local farmer’s markets in the Western New York area. This spring when the large packing houses shut down and grocery stores were limiting the amount of beef customers were able to buy, my farmer friends were there at the markets with locally produced farm-raised beef. Sales soared and demand skyrocketed.
Why? The farmers were ready. They used their resources and were not afraid to optimize them in a rapidly changing and volatile environment. Farmers live with constantly changing weather conditions and market prices and are accustomed to rapid change.
To operate with constant change, all of us, like farmers, need to be constantly creative. Phil Keppler, my philosopher farmer friend from SK Herefords says, “Creativity helps you to not look at things as a problem. It’s trying to find the solution – and that’s the exciting thing about it. Things aren’t problems anymore. It’s just difficult situations and you’re trying to find a solution to that situation.”
A good mindset for what our world is experiencing now… it’s a difficult situation and we are creating solutions daily.
Fight, flight, freeze or farm. What kind of organization is yours? And, what can you learn from “the farmers?”
The importance of app-based commerce to hospitality in the new normal
By Jeremy Nicholds CEO, Judopay As society adapts to the rapidly changing “new normal” of working and socialising, many businesses...
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4 Banks and financial industries are quite literally where the money is, positioning...
How open banking can drive innovation and growth in a post-COVID world
By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMEs in particular, a global financial...
How to use data to protect and power your business
By Dave Parker, Group Head of Data Governance, Arrow Global Employees need to access data to do their jobs. But...
How business leaders can find the right balance between human and bot when investing in AI
By Andrew White is the ANZ Country Manager of business transformation solutions provider, Signavio The digital world moves quickly. From...
Has lockdown marked the end of cash as we know it?
By James Booth, VP of Payment Partnerships EMEA, PPRO Since the start of the pandemic, businesses around the world have...
Lockdown 2.0 – Here’s how to be the best-looking person in the virtual room
By Jeff Carlson, author of The Photographer’s Guide to Luminar 4 and Take Control of Your Digital Photos suggests “the product you’re creating is...
Banks take note: Customers want to pay with points
By Len Covello, Chief Technology Officer of Engage People ‘Pay with Points’ – that is, integrating the ability to pay...
Are you a fighter or a freezer? The 4 “F’s” of Surviving Danger
By Dr.Roger Firestien, Author of Create In a Flash. The fight, flight, freeze survival response – or FFF for short...
Why the FemTech sector might be the sustainability saviour we have been waiting for
By Kristy Chong, CEO & Founder Modibodi ® Taking single use plastics out of circulation is no easy feat, but...