Gijsbert Janssen van Doorn, Tech Evangelist at Zerto
With customers looking to access banking services around the clock, from ATMs, online banking, apps and more, it's never been more important for banks to remain reliably "always on."
However, as the recent TSB outage demonstrated, that is sometimes not as easy as it may sound. At the same time, The Bank of England (BOE) and the Financial Conduct Authority (FCA) are now insisting that UK financial institutions present their action plans for minimising risks, and dealing with cyber attacks, by 5th October. It's never been more important for financial organisations to ensure they have a robust disaster recovery and resiliency strategy in place. The BOE and FCA directive also states that, should an outage occur, banks have just two days to get everything up and running again, with the promise to introduce penalties for businesses that fail to achieve this.
The current status of risk minimisation in banking
While nearly all banks will have a disaster recovery strategy in place, it's clear that these plans are not enough to ensure banking organisations remain online, regardless of what happens – TSB is not the only bank to have suffered an outage in recent months – Visa caused payment chaos when its payment network crashed in June, while the BOE experienced a glitch in January that prevented bank-to-bank transactions.
And it's not just unscheduled disasters that are impacting customers. Many UK consumers will be familiar with their banks taking "scheduled downtime" during the evening as one of those simple facts of life. However, in a 24/7 commercial market place, this is becoming increasingly inconvenient for customers, and will likely lead to banks losing out to competitors during off-hours. To combat this, banks need to transition to an IT resilient approach, without which, they cannot truly be considered an always-on service.
What is this new generation of IT resilience?
So what is an IT resilient approach? IT resilience is a way of ensuring your business offers continuous availability, while maintaining the workload mobility and multi-cloud agility that, traditionally, organisations have used during scheduled maintenance. As a result, banks are able to withstand disruption, add in new technology as it becomes available, without installation hiccups, and work on their digital transformation without any inconvenience to customers. All in all, it offers a significant advantage – preventing the reputation damage, financial loss and customer confusion that goes hand in hand with system downtime.
How can banks implement an IT resilient strategy?
Ahead of the 5th October reporting deadline, banks need to have two key goals, to:
1) Prevent as much downtime as possible – while understanding that cyber attacks are an inevitability
2) Have robust recovery plans and technology to get back up and running quickly
To achieve this, there are a number of simple steps banks should consider to ensure that their risk minimisation strategy is as comprehensive as possible:
1. Invest in technology that integrates all infrastructure platforms
All of the different channels that banks use to talk to their customers will rely on different infrastructures, including different cloud platforms or virtual environments. All of these will need to be protected as part of an IT resilience strategy, which means you need a solution that can work across any number of different challenging locations. In addition, with the competition to deliver better services to customers, banks need a solution that will leave them with the flexibility to try new clouds, evaluate new storage vendors, or cross-replicate between virtualisation platforms, and then make informed choices for enabling a future-proof IT strategy. At the same time, overarching integration can allow banks to move data to, from and between different infrastructures – minimising the impact of a specific solution provider's outage.
2. Prioritise testing and compliance requirements
Banking is a heavily regulated industry, with new requirements, like the new two-day-recovery period, coming into effect all the time. In addition, with the arrival of the new General Data Protection Regulations (GDPR) earlier this year, there is now even more pressure to ensure compliance – with fines of €20M or 4% of the company's global turnover for any misuse and breach of personal data. With this in mind, part of a bank's resilient approach needs to include the ability to test across the system, without causing downtime, and prove compliance to the full spectrum of legal requirements.
3. Consider using an as-a-service Disaster Recovery (DRaaS) approach to control costs and improve flexibility
Banks have a huge amount of data, which is growing exponentially. At the same time, IT systems can end up in flux as IT teams trial different solutions to meet different business needs. During this era of digital transformation, banks can benefit significantly from taking a more flexible, OPEX, approach to IT resilience. While a CAPEX approach could incur costly set-up fees, OPEX DRaaS allows banks to deploy the most comprehensive resilience solutions at a level that is appropriate for their business infrastructure.
Adopting a resilient approach to IT, rather than just mitigating for downtime, is critical for delivering the future of always-on banking. However, innovative service delivery relies on secure foundations, and a track record of reliability. Ahead of the 5th October deadline, banks need to make sure that they can prove that their services are always available, and able to be restored easily from a single point in seconds, no matter what happens.