Nick Hammond, lead advisor for financial services at World Wide Technology, discusses the steps financial services firms need to take to overcome the rising threat of cyber security breaches
More than four in ten businesses experienced a cybersecurity breach over the last year, according to The Government's Cyber Security Breaches survey.
Investment in cybersecurity by finance and insurance firms doubled in the last year, and 51 percent of businesses have implemented all the five basic technical controls listed under the Government endorsed Cyber Essentials scheme.
But this is not enough to keep modern IT systems secure. Changes to the way financial services firms use technology means that information cannot simply be kept on a closed system and protected from external threats by a firewall. Data now regularly goes beyond the four walls of a company and is shared across thousands of locations. Multiple third parties, such as credit ratings services or interbank payment systems, need access to data to provide their services. It is also shared with employee and customer devices through mobile banking apps and bring-your-own-device solutions. This makes the traditional "firewall" approach to protecting IT systems outdated, as it leaves firms susceptible to attacks. There must be a fundamental rethink in the approach to security.
It is no longer possible to draw a perimeter around the whole system, so instead each individual application has to be protected and only allowed to share data with other applications that need it.
The sprawling, interdependent nature of modern financial IT infrastructures means creating this boundary and these permissions is often easier said than done. Over the years, programmers have had to keep up with each new software development that comes along, and integrate each of them into the system. But no one has had an end plan in mind for the larger architecture. What began as relatively simple structures twenty years ago have been patched and re-patched in various guises and stitched together. The teams who setup the original systems have often moved on from the firm, and their knowledge of the original body has gone with them.
This means that trying to isolate one application within the system architecture in order to secure it can mean something else simply stops working. For example, e-commerce systems often rely on credit card databases to work and would stop working if the communication between the two was cut off in the interest of security.
To adapt to the current security climate, application owners and compliance officers need to first talk about infrastructure, and get a clear sense of what is going on in their systems, before putting the most appropriate solution in place. If they are to tackle threats of cyber breaches in a future-proof way, financial services firms need a bespoke security policy that traces every interdependency within their systems and adapts protection policies accordingly.
Many firms invest in security products before working out how they can function in the existing environment and try and work backwards from this point once they run into problems. But this is the wrong way to approach securing functions. Without starting from a point of visibility over the infrastructure, there is no way of telling which product will be the most appropriate.
This visibility is even more necessary in order to comply with new regulations that come into effect this year. One of, for instance, requires that testing and production environments cannot communicate to make sure that any rogue untested code does not affect the wider working system. GDPR, now in effect, calls for companies to have the technologies in place to prevent and detect any kind of leak or cyber breach and report it in the space of 72 hours. This kind of awareness about the communication between testing and production environments, or the existence of a breach, is impossible without visibility over the entire network.
Furthermore, if strict processes aren't in place to protect against dangerous changes, or if staff do not follow the guidelines around this, systems will still be vulnerable to a breach of regulation or of system security – no matter how secure their technology. Financial firms need to have the correct processes in place and the right people to oversee them.
Getting an in-depth understanding of the existing systems will enable financial services firms to then upgrade current processes, complete documentation and implement standards to mitigate risk. Having an active rather than reactionary approach will allow financial services firms to not only comply with regulations, but also be able to tackle any attempt of a cyberattack head on.