Mobile security can be a weak link when it comes to both cybercrime and compliance, says Alistair Millar of Altodigital
By Alistair Millar, Group Marketing Manager, Altodigital
Mobile working has become a way of life – so much so that it’s difficult to remember all the fuss surrounding the whole BYOD issue. At the time, those who decided on a BYOD policy took measures to counteract the risks of allowing remote access to company data from employee devices. For example, they strengthened their firewalls and introduced tiered systems of mobile access.
As a result, many businesses felt even stronger than ever – invincible even. However, in reality the number of security breaches continues to rise. High profile victims such as Uber, which recently revealed being hacked late 2016, exposing the personal information of 57 million customers and drivers, the credit rating company Equifax and Yahoo have contributed to the shock headlines by admitting their own breaches and showing that nobody is immune.
Even Deloitte, the multinational professional services firm, suffered a humiliating security attack in September this year. It came to light that the company wasn’t using two-factor authentication which was surprising as Deloitte was once named as ‘the best cybersecurity consultant in the world’.
It seems cybercrime is a real leveller. Earlier in 2017, the UK government released the results of a cybersecurity survey which revealed that seven in ten large businesses had identified a breach or attack. However, the survey points out that small businesses can be hit particularly hard by a cyberattack, with nearly one in five taking a day or more to recover from their most disruptive breach.
This is not to say that mobile access has been responsible for all these breaches. However, cyber criminals will always find the weakest links. Today, mobile devices are increasingly under attack. In fact, in a study for Check Point software, 20% of companies polled said their mobile devices had been breached and nearly all (94%) expected the frequency of mobile attacks to increase.
The problem is similar to all security weaknesses. The more secure and robust the mobile operators make their systems, the smarter the criminals become in creating malware to penetrate them – with spyware becoming equally sophisticated.
Mobile apps are another target, especially those which enable users to store personal details. Increasingly these are being used by workers in the field such as insurance risk assessors, sales reps and customer service agents. They can store significant amounts of data – often customer information and personal details – and are extremely vulnerable to hackers.
At the same time, many businesses are also migrating their data to the cloud (it’s suggested one in three now use cloud storage) and bringing a whole new set of concerns. They need to ensure that their security is at least mirrored by that of their cloud provider. If a company is using cloud services, they are themselves still liable for the security of any data forwarded to those services.
All these issues are currently coming to a head as the deadline for compliance with the new General Data Protection Regulations (GDPR) in May 2018 comes closer. Now businesses face being hit from two sides – the hackers and the regulators. With the promise of severe penalties of up to £20 million, it’s difficult to know which is the greater threat. Gartner appears to agree, noting that “by 2019, 30% of organisations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices.”
Point of no return
Yet, we’ve come down the road of no return when it comes to remote and mobile working. To deny employees access to corporate data when out of the office could be akin to surrendering to the competitors, so great are the productivity gains.
So how can businesses – and especially small businesses without a huge IT department – exercise ‘due diligence’ and protect their data to the required levels? As I see it, there are four main areas to consider:
- Is security housekeeping up to date?
Updating patches regularly would have negated many of the problems associated with the recent WannaCry ransomware attack. Easier said than done for many hard-pressed small businesses where patching can be seen as a hassle. However, making sure the latest anti-virus and anti-malware software is in place and firewalls and gateways are up to date is a vital first step to protecting data.
- Protect against data leakages
A mobile security strategy should be developed. This should include who can access what, a policy on mobile apps and storage of confidential company details – not just on mobile phones, but also on laptops, tablets and USB sticks which can be easily mislaid.
Education is key here. For example, some people like to save work in multiple locations to ensure accessibility and to know there is a back-up. But this doubles or trebles even the vulnerable spots. If the laptop is left on a train, it could fall prey to anyone with the basic skills needed to break into it. Any file sharing applications used could also be compromised.
Employees should be made aware of potential security threats and be responsible for ensuring passwords are strong and they carefully manage and protect both their own personal data and the company information entrusted to them.
Businesses should protect other potential weak spots such as mobile printing. If documents are sent to print from a mobile phone to an office, they can easily then get into the wrong hands. They should ensure to use printers that hold documents until a user enters the right PIN code or other authentication and use encryption.
- Put the right authentication processes in place
Adaptive authentication based on certain parameters can ensure that while employees have easy access to low risk data, a company’s confidential information is kept safe and only access by those with the right authority and trust.
This may mean that access to some parts of the network require only a single password, whereas reaching HR data, for instance, requires two-factor user authentication and a digital certificate, even for the same user.
- Security at every point
An increasing number of organisations are implementing several layers of mobile security to plug every vulnerability. This can include mobile device management, mobile application management as well as anti-malware and anti-ransomware.
There’s no one size fits all here, just a policy of adding protection at any weak point.
At the same time, all these measures can’t prevent the mobile worker from doing their job as efficiently and productively as possible – otherwise all the advantages of mobile working will be lost. It’s a balance between benefits and responsibilities and only those who get it right will win out in the end.
Five ways to mitigate the risk of AI models
By Dave Trier, VP of Product at ModelOp
In recent years, the banking industry has been at the forefront of AI and ML adoption. A recent survey by Deloitte Insights
shows 70% of all financial services firms use machine learning to manage cash flow, determine credit scores, and protect against cybercrime. According to an Economist Intelligence Unit adoption study, 54% of banks and financial institutions with more than 5,000 employees have adopted AI.
But AI and ML adoption has not been easy. Difficulty in deployment has been exacerbated by the growing number of new AI platforms, languages, frameworks, and hybrid compute infrastructure. Add to this the fact that models are being developed by staff in multiple business units and AI teams, making it difficult to ensure that the proper risk and regulatory controls and processes are enforced.
As these AI initiatives and models multiply, risk managers and compliance officers are challenged to ensure proper governance measures are in place, and more importantly, adhered to. Without an auditable process, model risk management steps are often overlooked by those responsible for developing, monitoring, and governing models. If left unattended, steps are skipped leaving companies exposed to unacceptable business risk such as fines, unreliable model outcomes and, depending on model use, fraud.
Yet enforcing governance and risk requirements is a constant challenge, and one that is a delicate balancing act between enforcing risks while continuing to encourage innovation. As AI and ML adoption grows and regulatory guidance changes, monitoring and governance becomes more complex.
Here are five best practices that banks and financial institutions should consider following to ensure that AI and ML models are governed and monitored effectively.
- Define an end-to-end model operations process
An end-to-end model operations process, referred to as a model life cycle (MLC) is a detailed workflow with well-defined steps for operationalizing and maintaining the model throughout its production life, from deployment to retirement. This includes steps for running and monitoring the model to ensure it continuously produces reliable results, as well as the steps a company has identified for controlling risk and adhering to regulatory and compliance requirements.
A model life cycle typically includes workflows for model registration, business approvals, risk controls enforcement, and model retraining, re-testing, re-validation, and eventually retirement. It ensures that the appropriate controls are put in place early in the operationalization process and should include thresholds that are identified and agreed upon with the 2nd line teams.
These workflows should integrate with existing applications, like data platforms, model development applications, IT service management systems, MRM systems, etc. instead of duplicating or replicating efforts. This will ensure that the latest information is being used in the model operations process and eliminate redundancy that often leads to inconsistencies.
The model life cycle establishes the technical and organizational scaffolding that unites data scientists, data engineers, developers, IT operations, model operations, risk managers and business unit leaders through clearly defined processes and ensures that all models are following the proper risk and governance procedures.
- Register all models in a central production model inventory
The first step in operationalizing a model is registering the model(s) and associated artifacts in a centralized production model inventory. All the elements that compose the model—such as source code, tests, input and output schemas, training data, metadata, as well as outputs of training—should be included, along with all the elements required to execute it, including libraries.
With a growing number of different business processes and applications that use models and platforms that run models, it is increasingly challenging for IT and business executives to confidently have a pulse on what models are actually being used for business decisioning and where they are being used.
A centralized production model inventory provides visibility into all models running in production, regardless of where they’re executing, the business process or application they’re serving, or the AI/ML language or framework used for development. This provides the flexibility to leverage existing investments, while still providing the proper level of controls for these critical business decisioning assets.
- Automate model monitoring and orchestrate remediation
Monitoring begins when a model is first implemented in production systems for actual business use and continues until the model is retired. While most of the buzz in the AI world focuses on data drift and model accuracy, model risk teams need more comprehensive monitoring focused on population stability, characteristic stability, rank order break, score concentration, selection curves, model expiration dates, ethical fairness, and many others. AI models require more frequent monitoring based on shifts in data, ongoing enforcement of business and risk thresholds and other factors.
Detecting a problem is just the first step. To achieve optimal performance and reliability, remediation must be part of the monitoring process. Monitoring workflows need to include gathering problem information, obtaining performance metrics, generating reports for aiding in diagnosis, initiating and routing incident and change requests, taking corrective actions, gating activities that need approvals and tracking the entire process until model health and performance is reinstated.
For monitoring to be most effective, it should include alerts and notification of potential upcoming issues, and most importantly, it should be automated. With the speed at which AI and ML models are being developed and embedded into core business processes, monitoring models has grown beyond human scale in most companies.
- Establish regulatory and compliance controls for all models
Models are a form of intellectual capital that should be governed as a corporate asset. They should be inventoried and assessed using tools and techniques that make auditing and reporting as efficient as possible.
The “black box” characteristics of AI and ML algorithms limit insight into the predictive factors, which is incompatible with model governance requirements that demand interpretability and explainability.
Many companies are attempting to extend their model risk processes for 1st and 2nd line teams, which is a great start, but consistent processes and automation are also required. While the entire governance process may not be able to be automated, it can be automatically orchestrated to ensure that all regulatory and business controls are enforced for all models and all steps are tracked, reproduceable and auditable.
Compliance and auditability require a systematic reproduction of training, evaluation and scoring of each model version and ultimately the transparency and auditability typically required for regulatory and business compliance.
- Orchestrate, don’t duplicate or replicate.
Automating and orchestrating all aspects of model operations ensures model reliability and governance at scale. Each model in the enterprise can take a wide variety of paths to production, have different patterns for monitoring and various requirements for continuous improvement or retirement.
A well-designed model operations process leverages, not duplicates, the capabilities of the business and IT systems involved in developing models and maintaining model health and reliability. This includes integrating with model development platforms, change management systems, source code management systems, data management systems, infrastructure management systems and model risk management systems. This integration provides the connection points for orchestrating actions, streamlining the model operations processes and allowing for end-to-end management of the complete model lineage that is traceable and auditable.
Making it all work
Technology is an important component for establishing good model operations and providing the responsiveness, auditability, and scalability that is needed, but it is not a magic bullet. Successful model governance requires significant collaboration between first line managers, risk managers, program managers, data scientists in the business lines, and the finance function for all the regulatory and capital reserve models as well as risk in technology.
AI governance and risk management will continue to evolve as AI models and technology change. Regardless, the model operations process must be properly defined, monitored and governed to produce the right business outcomes, which requires a combination of technology, well defined processes and a cross-team collaboration.
Dave Trier, VP of Product at ModelOp and their ModelOp Center product. Dave has over 15 years of experience helping enterprises implement transformational business strategies using innovative technologies—from AI, big data, cloud, to IoT solutions. Currently, Dave serves as the VP Product for ModelOp, charged with defining and executing the product and solutions portfolio to help companies overcome their ModelOps challenges and realize their AI transformation.
This is a Sponsored Feature.
How banks can overcome the IT skills gap in a post-pandemic world
By Zak Virdi, UK Managing Director at SoftwareONE
Banks have always struggled to keep pace with the speed of digital, but the problem has become more pressing in recent years. From a skills perspective, job vacancies for tech roles in UK banking rose to 30%, and the finance industry has called for the creation of a new UK body to boost recruitment in the sector. In a bid to keep up with fierce competition from mobile and online banks and fintechs, established banks are now looking to accelerate digitalisation projects. This is urgent, because COVID-19 has forced a decisive shift to digital. Indeed, since the outbreak of the pandemic, the number of European bank branches has rapidly declined.
However, if banks are to digitalise successfully, and enable a faster pace of innovation, they will need the skills to match. This is no easy feat, as talented people well versed in cloud-native technologies, app modernisation and the legacy tech that many banks continue to operate, are hard to find. This is compounded by the fact that banks also face the reality of a crowd of developers reaching retirement age and taking their skills with them.
Changing skills needs to keep up with fintech
Traditional banks face constant pressure from both industry peers and competitors like fintechs and challenger banks, to provide slicker and more seamless banking experiences. Customers expect new, engaging services and functionality, from contactless payments to digital wallets and banking with wearable devices. While it may be easier for digital-native challengers to continually roll-out new technology, it is a huge challenge for traditional banks to keep up with without digital transformation. However, this is not a simple process.
Let’s take cloud as an example. Migrating to the cloud is seen as a key pillar of any digitalisation project, yet the challenge of building, maintaining and monitoring a complex cloud infrastructure is often beyond the capabilities of existing banking staff. According to Gartner, a majority (80 percent) of today’s workers feel they don’t have the skills required for their current role and future career. To maintain a modern, complex cloud ecosystem banks need more skilled personnel. But adding to the issue is that 53 percent of business leaders struggle to find candidates with the right abilities. The good news is that there are options for banks to address the skills challenge:
- Hiring new talent: Finding someone new with the skills you need is the most obvious solution. This enables banks to pick the specific type of candidate they require, only interviewing those that fit the bill. However, hiring externally is harder when looking for more niche capabilities, and it costs more. Legacy banks also struggle to attract candidates due to the ‘innovative’ and ‘trendy’ reputation of a career at a fintech. When recruiting for roles requiring advanced IT skills – for example, cloud-native orchestration, SAP expertise or DevOps – the pool of potential candidates is small, and banks can end up paying a premium. While hiring new team members to support your existing IT team may be the first option banks consider, it certainly isn’t the only answer.
- Upskilling staff: The World Economic Forum has estimated that 54 percent of workers will need significant digital reskilling by 2022. Looking inward at extra training to advance the skillset of existing staff can be a great way to bridge the gap. The benefits of upskilling include reduced strain on individual employees, less cost and resource drain, and improved collaboration. It will also pay off in the future as established banks build a bank of skills to rival those held by employees at challenger banks. As part of this process, banks will either need an internal skills champion, or an external training partner. Also note that upskilling is gradual and continual; even after training staff, they won’t be experts and will need starter projects to practise what they’ve learned.
- Finding the right partner: Training existing staff and hiring helps futureproof in the long term, but doesn’t solve immediate need. Moreover, some banks may decide they don’t have the capacity or resources to pursue upskilling. So another avenue for banks to consider is finding a partner that can fill a skills gap quickly and with little hassle. Outsourcing IT can save time and resources, and enable projects to move ahead faster. With this approach, banks don’t have to spend hours interviewing potential candidates or training employees each time they embark on a new digital transformation project that requires a specific skill. In addition, banking IT teams can focus on fulfilling their day-to-day roles to the highest standard, without having to tackle unfamiliar or new tasks.
Closing the IT skills gap is only going to become more complicated as banks continue to digitally transform, with the added complication of operating in a highly regulated and competitive sector. A reliable and highly-skilled IT workforce is crucial when pursuing a digital-first future. Whether banks choose to hire-in, upskill or outsource, a clear roadmap needs to be developed that encompasses where skills gaps are and how they can be addressed, to ultimately support financial organisations in their digital transformation efforts.
Unlocking the interconnectivity of Technology and Innovation
By Olly Chubb, Strategy Director, Design by Structure
Technology enables innovation to happen – but it is not why innovation happens.
Thousands of businesses have the capability to ‘innovate’ – to create something new, or something better. What separates successful businesses is not whether they can do something, it’s whether they know why they are doing it. There is a huge distinction here, let’s look at that further.
The most successful businesses deliver more than linear, incremental improvements that make something better, faster or smoother. Instead, they harness a deep understanding of their customers, not just observing how they currently behave, but revealing and understanding their pain points, interrogating what really matters to them and identifying new opportunities to create meaningful change for them.
These businesses can rethink the sector/customer problem, approaching it from a fresh and original perspective, reframing the context and transforming expectations of what ‘better’ means.
As the classic Henry Ford quote goes, “If I’d have asked people what they wanted, they would have said faster horses”. He could have bought the fastest horses, bred them to be even faster and become rich. He didn’t. Why? Because he understood that, although his customers might not have articulated it directly, the problem wasn’t just about speed – so the solution wasn’t just about being faster. Instead, he built a new mode of transport that exceeded expectations and transformed the landscape forever – and he became extremely rich!
In short, technology enables innovation, but the smartest innovations are driven by insight – and so too are the smartest businesses.
It can be easy to forget or overlook this, not least when businesses are running full speed to improve and when there seem to be more options for improvement than ever. The most ground-breaking innovations are not remembered because of the technology, they’re remembered because they transformed businesses, cultures and industries.
We need to think of technology and innovation as having a symbiotic relationship in business. Insight is the catalyst for this change. And by putting it at the heart of every decision and using it to constantly challenge and rationalise why they should do something, businesses can streamline activity, optimise resource and align every action through a clear purpose.
Interconnectivity of tech and innovation
Technology and innovation are interconnected they need each other to thrive, let’s look at some examples.
What’s the biggest frustration people experience with customer services? Feeling that they are not being understood or listened to. Having to go through the same conversation, the same complaint, over and over again because they’re speaking to a different agent. We all know this pain.
Dixa, is a SaaS business currently transforming the customer service experience by making it more personal, intelligent, and data-driven., it puts people at the core of its business and addresses this particular pain point – frustration.
Dixa could have used technology to reduce waiting times or increase accessibility. Instead, they looked at the problem differently and unlocked a fresh way to innovate in this industry. The service combines every customer interaction into one seamless conversation by unifying all contact points – phone, email, chat, and messaging. Therefore, changing the landscape by removing the frustration of having to explain yourself again and again to different customer service agents.
It has used technology to create a seamless, ongoing dialogue that has transformed expectations of customer service forever.
Mews is another business blending insight and technological innovation to revolutionise the hospitality guest experience.
Rather than think about how to improve the traditional property management system that dominated the industry landscape, Mews decided to drive its innovation from a different angle – the human experience of both hoteliers and customers and asked what are their pain points?
By adopting a customer-first perspective, Mews developed customer-first tech that identifies how and where to simplify or automate hotel operations – from booking engine to check-out, front desk ritual to revenue management.
Small scale improvements would not have been enough to compel hoteliers to switch from the established incumbent – but a new way of thinking brought to life through technology, has created wholesale change and encouraged hoteliers and guests to imagine more.
What both these business example show, is where technology was used to deep dive into a real problem, to fulfil a gap in the sector where meaningful change could innovate to the benefit of the end-user – the customer. Both of these solutions tackle specific pain points, and instead of an easy fix, have come up with an idea that can shake a sector and really challenge sedentary thinking.
A final word of caution, too often businesses create or adopt technology for technology’s sake. They realise they can, so they do, but they don’t stop to ask ‘why?’. They should. When you unlock ‘the why’, you unlock the insights.
It is the insight that unlocks innovation – and technology that makes good on the promise.