By Cliff Moyce, DataArt Global Head of Financial Services Practice
Unlike their challenger bank siblings and fintech cousins, incumbent banks have one particular problem to solve if they are to remain viable and competitive. That problem is high cost to income ratios of (typically) around 60%. Compare that figure to fintech firms engaged in ‘unbundling the bank’ who even when fully operational are operating at ratios as low as 20%.
A large part of the difference in costs is the cost of operating and supporting legacy system architectures.Other factors include the cost of branch networks, and the (over)staffing implications of functionally divided organisations. High IT infrastructures costs in large banks arise from significant duplication and hidden redundancy; poor integration; high complexity; poor systems documentation and knowledge; a lack of agility/ flexibility/ adaptability; old fashioned interfaces and reporting capabilities; difficulties integrating with newer models such as cloud computing and mobile devices; being difficult to monitor, control and recover; and, susceptible to security problems.
Getting old and new applications, systems and data sources to work seamlessly can be difficult, verging on impossible. This lack of agility means that legacy systems in their existing configuration can be barriers to improved customer service, satisfaction and retention. In regulated sectors they can also be a barrier to achieving statutory compliance. Pressure to replace these systems can be intensified by new competitors who are able to deploy more modern technologies from day one.
One radical approach to solving the infrastructure issue is to design and implement a new, more modern architecture using a radical clean-slate or blueprint-driven approach. Amusing analogies have often been used to encourage audiences to take such an approach, including the analogy of legacy infrastructures resembling an unplanned house that has been extended many times. But how easy is it to design and implement a new IT architecture in a large mature organisation with an extensive IT systems estate?
Rather than the unplanned house analogy, a better analogy might be a ship at sea involved in a battle. Imagine if you were the captain of such a ship and someone came onto the bridge to suggest that everyone stop taking action to evade the enemy and instead draw up a new design for the ship that would make evasion easier once implemented. You might be forced to be uncharacteristically impolite for a moment before getting back to the job at hand.
The temptation to start again is enormous, but big-bang approaches to legacy IT systems replacement can be naive, expensive and fraught with risk. At some point, many large organisations have attempted the enterprise-wide re-design approach to resolving their legacy systems problems. Yet so many initiatives have been abandoned when the scale of the challenge or the impossibility of delivering against a moving target become clear. Time has a nasty habit of refusing to stand still while you draw up your new blueprint. Re-designing an entire architecture is not a trivial undertaking, and building / buying and implementing replacement systems will take a long time. Long before a new architecture could ever be implemented the organisation will have launched new products and services; changed existing business processes; experienced changes to regulations; witnessed the birth of a disruptive technology; encountered new competitors; exited a particular business sector and entered others.
All of these things conspire to make the redesign invalid even before it’s live. If you are lucky, you may realise the futility of the approach before too much money has been spent. Furthermore, the sort of major projects required to achieve the transformation are the sorts of projects that run notoriously high failure rates. A 2005 KPGM report showed that in just a twelve month period 49% of organizations had suffered a recent project failure,with IBM later reporting in 2008 that only 40% of the projects met their schedule, budget and quality goals.And as recently as 2012, a McKinsey and Company report identified that 17% of large IT projects fail so critically as to threaten the very existence of the company.
So if wholesale blueprinting and re-engineering is impractical, what options are left to solve the problem? Luckily there are some practical and cost effective approaches that can mitigate many of the problems with legacy systems while obviating the immediate need to replace systems (though eventual systems replacement should be an objective). Two viable alternative approaches are service-oriented architecture (SOA) and web services. Used in combination, they offer an effective solution to legacy systems problem.
SOA refers to an architectural pattern in which application components talk to each other via interfaces. Rather than replacing multiple legacy systems, it provides a messaging layer between components that allows them to co-operate at a level you would expect if everything had been designed at the same time and was running on much newer technologies. These components not only include applications and databases, but can also be the different layers of applications. For example, multiple presentation layers talk to SOA and SOA talks to multiple business logic layers – and thus an individual prevention layer that previously could not talk easily (if at all) to the business logic layer of another application can now do so.
Web services aims to deliver everything over web protocols so that every service can talk to every other service using various types of web communications (WSDL, XML, SOAP etc.). Rather than relying on proprietary APIs to allow architectural components to communicate, SOA achieved through web services provides a truly open interoperable environment for co-operation between components.
The improvements that can be achieved in an existing legacy systems architecture using SOA though webs services can be immense, and there is no need for major high risk replacement projects and significant re-engineering. Instead organisations can focus on improving cost efficiency by removing duplication and redundancy though a process of continuous improvement, knowing that their major operations and support issues have been addressed by SOA and web services. Another benefit is that the operations of the organisation can start to be viewed as a collection of components that can be configured quickly to provide new services even though the components were not built with the new service in mind. This principle is known as the composable enterprise.
But addressing the issue of legacy systems in a way that makes good sense is not just an IT issue; it is also a people issue. It requires people to resist their natural inclination to get rid of old things and build new things in the mistaken assumption that new is always better than old. It requires people to resist the temptation to launch ‘big deal projects’, for all of the reasons that people launch big deal projects – from genuine belief that they are required (or the only way), to it being a way of self-promotion, and everything in-between. It requires people to take a genuinely objective view of the business case for change, while operating in a subjective environment. It requires people to prioritise customer service over the compulsion to tidy up internally. And, it requires the default method of change to be continuous improvement rather than step change projects – which can be counter intuitive in cultures where many employees have the words ‘project’ or ‘programme’ in their job titles.
So, to summarise, of course legacy enterprise IT architectures can feel like barriers to efficiency, agility and customer satisfaction and making even the smallest change can often feel like it takes too long and costs too much money. The overwhelming temptation to throw the legacy architecture away and start again is understandable, but succumbing to that temptation can be a mistake. Luckily we now have technical tools and approaches available to affect radical improvements without having to incur the expense, effort and risk of major replacement projects. But using these tools comes with a change of mindset and approach that may be counter-cultural in some organisations. It can mean a move away from step-change and ‘long-march’ projects, and a move towards continuous improvement. Education and engagement will be one of the keys to making it happen.
*Previously published in Issue 3
What does cybersecurity look like for the financial sector in 2021?
By Neill Lawson-Smith, managing director at CIS
The landscape is changing incredibly fast, with cybercriminals using the most up-to-date technology to hack systems. Here are the six areas those in finance should be watching out for…
The finance and insurance sector is increasingly becoming a notable target for cyber attacks. Many of these breaches happening are believed to be due to inadequate security measures when teams or businesses are using cloud services.
The financial industry is also being affected by changes in processes with more fintech, virtual banks, and other digital disruptors impacting the market. The landscape is changing incredibly fast, with cybercriminals using the most up-to-date technology to hack systems, so it is therefore up to the financial sector to keep up to avoid security breaches.
What does this look like for the year ahead in the financial sector? Here are the Six areas those in finance should be watching out for:
- AI securityand cyber defence
Both Cybercriminals and cyber defence are commonly using Artificial Intelligence (AI). In cybersecurity, it is used to identify new threats, as well as assess the effectiveness of the responses to threats, enabling them to foresee and essentially block attacks before they happen. It is also used to spot behavioural patterns and can quickly identify possible infiltrations.
Hackers have also started to use AI to make it easier for them to get past security systems in place. This year, it is likely that AI will be increasingly used as a means of gaining personal details (i.e. credit card details) as well as optimising spam phishing campaigns.
- Mobile cybersecurity in banking
With the number of consumers using their mobile devices for banking and financial transactions increasing, especially since the COVID-19 pandemic has rendered society predominantly cashless, cybercriminals have been heavily targeting mobile systems. For example, mobile malware only targets mobile phone operating systems. The most common forms of mobile malware are virus and trojans, spyware and madware (mobile adware), phishing campaigns, and browser exploits.
This means it is now more important than ever to protect mobile devices to the same extent as traditional hardware.
The same protocols that are in place to ensure your staff PCs and laptops are secure now, need to also be applied to their mobile devices as well, such as:
- Ensuring the latest versions of the operating system and other applications are installed.
- Installing a firewall.
- Enabling mobile security software to protect against malware and viruses.
- Using password protected lock screens.
- Ensuring apps are only downloaded from official sites like Apple App store and Google Play.
- Multi-factor authentication
Multi-factor authentication adds an extra layer of security to all your business networks by ensuring every transaction or login is supported by at least two security measures for access. It is one of the easiest security measures to implement within your business and is becoming more common within the financial sector for many transactions. The traditional username and password are becoming increasingly easy for cybercriminals to acquire, whereas adding an extra identification method, that is not easily accessible to the hackers, ensures an extra layer of protection.
The most commonly used multi-factor authentication methods are:
- Passwords – They should be complex and comprise at least eight characters and be a combination of upper- and lower-case letters, numbers, and special characters.
- One-time use code – A randomly generated code sent via SMS or email which is used only once. With weaknesses in mobile networks and email accounts, these can however be intercepted by hackers.
- App generated codes – a code generated by an app on a mobile phone often created by scanning a QR code that contains a ‘key’. As the key is stored on the phone itself this is less likely to be intercepted by a third party.
- Physical authentication keys – this is a USB which the user inserts every time they login from a new computer. Unfortunately, they don’t work on all devices without adapters (such as iPhone, MacBook or Android).
- Biometrics – Using a fingerprint, voice, or an eye dent is an effective identifier. They are extremely difficult to hack but if they are, they cannot be used ever again for anything.
- Information – this could be something that only the user would know – either a password or a piece of information.
Most of these methods are free or relatively cheap to implement and don’t require anything other than a mobile phone for the user. The added security of multi-factor authentication means even if a hacker has acquired a username/password combination there is still an extra security barrier preventing access.
- Refined testing
As the finance industry is constantly changing, then so too are the security threats. Financial cybersecurity is an ongoing commitment, so installing new anti-virus software and implementing MFA, and stopping there is not going to keep you protected for long. It requires ensuring software and firewalls are up to date as well as ensuring access is regularly updated. In addition to this constant maintenance regular testing of the systems is essential. All systems have vulnerabilities, and as these change, cybercriminals learn to overcome them, and therefore software develops.
One thing to remember is that it is not possible to be over-cautious when it comes to cybersecurity. Regular penetration testing essentially identifies any weaknesses in your systems before the cyber criminals do. It is essential to schedule penetration testing or vulnerability scans at least once a quarter unless compliance dictates otherwise. They can be carried out using a vulnerability scanner.
- Hiring the right people
It is crucial to have the right team on hand to ensure your systems are up to date, regularly tested and maintained is essential.
Your IT team should have the following skills and knowledge:
- Knowledge and understanding of the company’s IT infrastructure
- Knowledge of cybersecurity best practices
- Understanding of company processes and data flows
- Up to date knowledge of cybersecurity solutions
- Plan a Defence, Prepare for Attack…
Although businesses can take many precautions, there are limitations on skills, investment and timescales in implementing a comprehensive cybersecurity infrastructure, it is essential that appropriate procedures, policies and processes are established to ensure that an appropriate response is carried out in the event of a detection – whether manual or ideally automated – so that whenever an attack occurs, the appropriate and proportionate response is carried out immediately to limit any further damage or intrusion.
Data protection: it’s time to reassess your security strategy
By Tony Pepper, CEO of Egress
It’s no secret that the Covid-19 pandemic has created a perfect storm of cybersecurity risk. External threats are heightened, but there’s also a higher level of internal risk too, exacerbated by home working. With most financial services organisations planning to continue with mass remote working for the foreseeable future, it’s important for security teams to review their strategy and assess whether it still works in this new landscape. When it comes to insider threat, there are three key areas that IT leaders should focus on: building a positive culture around security, understanding their organisation’s level of risk and protecting their people.
- Build a security-positive culture
Many organisations have unknowingly instilled a security-negative culture among their employees, where people are punished or shamed if they cause a security incident. While they might think that this would discourage employees from causing data breaches for fear of repercussions, this actually makes your organisation less secure. Our Outbound Email Security Report found that 62% of organisations rely on their people to report email data breach incidents – and if employees are too afraid to come forward, that means your business is at risk of developing a security blind spot.
A security negative culture won’t actually prevent data breaches caused by human error, something which organisations need to recognize as largely unavoidable without technological intervention; it just delays remediation, which makes every incident worse. By creating a security-positive culture, you can better engage and educate employees, as well as ensure you’re able to rapidly triage any incidents if they occur.
- Understand your risk
When mapping out your risk, you’ll likely find that the picture looks very different to how it did even a year ago. In the past, organisations have focused on their networks and their devices when it came to security strategy. While these are vital areas for consideration, what hasn’t been as well-addressed to date is the human aspect of risk, particularly human error. You need to look closely at the tools that your employees are using daily to facilitate digital communication with clients and colleagues, including when sending sensitive information.
Employees are specifically using email more than ever before – our recent research found that 94% of organisations are sending more emails due to Covid-19, with one-in-two IT leaders reporting an increase of more than 50%. With this expansion of email volumes comes an increase in the risk that an email containing sensitive data might be misdirected. Remote working has also heightened the threat – our research found that 35% of organisations’ serious email data breaches were caused by remote working. Why? The causes lie in their behavior and the environments in which they operate. Some individuals may feel they’re able to take more risks away from the “watchful eyes” of their Security team, and every employee is faced with a myriad of distractions that make them more likely to make a mistake.
It’s time for organisations to take stock of their risk by looking at where gaps in their security might exist – and provide safety nets for their employees that can automatically detect and mitigate inadvertent data breaches and risky behaviour.
- Protect your people
It goes without saying that not all data breaches are caused by malicious activity. An overwhelming amount of data breaches are caused by hardworking employees making honest mistakes, from sending an email to the wrong person to responding to a phishing attack. Unfortunately, human error is an unavoidable part of life, and mistakes will happen. In the past, many organisations have taken the approach that employee error can be ‘trained away’, embarking on comprehensive security training programs in the hope that security incidents might decrease.
Unfortunately, if that were the case, then employee activated data breaches would be a thing of the past! Organisations need to employ a multifaceted approach when it comes to avoiding accidental insider data breaches – education and training remain an important element, but ultimately businesses need to implement the right technology to provide a safety net for their people. Many organisations have legacy DLP solutions in place that cannot mitigate the risk as they fail to fully understand employees’ behaviour.
Often, these tools stand in the way of productivity, prompting users even when there isn’t a legitimate risk. When click fatigue sets in, these solutions become ineffective, with users ignoring prompts whenever they appear. Luckily, advances in machine learning mean that there’s technology available to prevent insider data breaches such as misdirected email, by deeply understanding the way that users behave and the context in which they share data, to ensure emails are sent to the right recipients with the right level of security.
The vast majority of organizations will never go back to every employee working full time within the office environment, instead post-pandemic we will see a myriad of different approaches – with some based in the office, while others work at home part or full-time, and as the world opens up again, their locations may change throughout the day. To mitigate risks from inadvertent errors to intentional data exfiltration, CISOs must address their security culture and protect their human layer with intelligent controls that mitigate employees’ behaviors and stop breaches before they happen.
Sumitomo Life Insurance Selects Talend to Build Company’s Data Infrastructure
Leading life insurer uses Talend in data lake environment for data analytics
Talend (NASDAQ: TLND), a global leader in data integration and data integrity, announced today that Sumitomo Life Insurance Company, one of the Japan’s leading life insurance companies, has selected Talend Data Fabric for its data analytics infrastructure.
Sumitomo Life aims to become the most trusted and supported company by its stakeholders, including its customers, and to grow sustainably and stably. Sumitomo Life’s vision is to offer advanced products to enable customers to live vigorously. To respond to that, the company is developing and delivering cutting-edge products that respond to its customers’ current and expected futures needs in areas focusing on nursing care, medical insurance and retirement planning.
“With the trust from our customers as the starting point of all our activities, Sumitomo Life is providing optimal life insurance services to every person through the sound management of the insurance business,” said Mr. Masakazu Ohta, General Manager in Charge of Information System Department at Sumitomo Life. “As a new approach, it was necessary to build a common foundation for big data management, and Talend is the driver. Talend’s superiority in cloud implementation, development productivity, features, and licensing model convinced us to be part of this journey together.”
To meet the needs of its customers and offer them innovative products and services, Sumitomo Life has decided to build a foundation for data analysis (Sumisei Data Platform) in the cloud for the promotion of new insurance products. The company evolved its legacy data environment to the new environment where they can store the data extracted from various systems both on-premises and effectively in the cloud.
In order to meet the needs of each individual customer and provide the best insurance for them, Sumitomo Life uses Talend Data Fabric as the hub of its data infrastructure. This manages data across the organization and integrates data into a data lake, which makes them able to utilize data across the company.
“We have been able to release projects with the continuous support of Talend, even amid the changing business environment in the Covid-19 crisis. We will continue to collaborate with Talend in order to actively promote company-wide data analysis projects,” added Mr. Ohta.
“The insurance market is one of the most competitive sectors. By facing tight regulations and complex customer needs, companies must be at the forefront of innovation to offer even more services and new products to its customers,” said Kenji Tsunoda, Country Manager Japan, at Talend. “Talend helped Sumitomo Life reinvent its data-driven infrastructure to provide a data management platform that enables the development of advanced products for its customers. We are delighted to support Sumitomo Life in the pursuit of their vision.”
FTSE Russell to include 11 stocks from China’s STAR Market in global benchmarks
SHANGHAI (Reuters) – Index provider FTSE Russell will add 11 stocks from China’s STAR Market to its global benchmarks, according...
Foxconn chairman says expects “limited impact” from chip shortage on clients
TAIPEI (Reuters) – The chairman of Apple Inc supplier Foxconn said on Saturday he expects his company and its clients...
Bitcoin, ether hit fresh highs
SINGAPORE (Reuters) – Bitcoin hit a fresh high in Asian trading on Saturday, extending a two-month rally that saw its...
UK insurers estimate to pay up to 2.5 billion pounds for coronavirus claims
(Reuters) – The Association of British Insurers (ABI) said on Saturday insurers are likely to pay up to 2.5 billion...
Citigroup considering divestiture of some foreign consumer units – Bloomberg Law
(Reuters) – Citigroup Inc is considering divesting some international consumer units, Bloomberg Law reported on Friday, citing people familiar with...
World Bank pushing for standard vaccine contracts, more disclosure from makers
By Andrea Shalal WASHINGTON (Reuters) – The World Bank is working to standardize COVID-19 vaccine contracts that countries are signing...
Google to evaluate executive performance on diversity, inclusion
By Paresh Dave (Reuters) – Alphabet Inc’s Google will evaluate the performance of its vice presidents and above on team...
EU seeks alliance with U.S. on climate change, tech rules
By Sabine Siebold and Kate Abnett BERLIN (Reuters) – Europe and the United States should join forces in the fight...
Oil extends losses as Texas prepares to ramp up output after freeze
By Devika Krishna Kumar NEW YORK (Reuters) – Oil prices fell for a second day on Friday, retreating further from...
Dollar edges lower as investors favor higher-risk currencies
By Stephen Culp NEW YORK (Reuters) – The dollar lost ground on Friday as market participants favored currencies associated with...