To become “cyber ready”, banks need to get to know their IT systems
Nick Hammond, lead advisor for financial services at World Wide Technology, discusses the steps financial services firms need to take to keep up with regulation and protect against cyber threats.
In recent months there have been many high-profile cyberattacks and internal glitches leading to systems failures, due largely to technical legacy issues. The pressure is on financial services firms to remain up-to-date with the latest technologies, whilst staying protected from cyber threats. In fact two thirds of businesses listed preventing cybercrime and fraud as their top priority according to the annual “Cyber Readiness” report from Hiscox.
With new regulations coming into force this year, this need is doubly pressing. These have shifted the mandate from one of annual compliance exercises to an ongoing assurance that vital applications are prepared and secure.
With so much pressure to become cyber ready, why is it that so few companies have made discernible progress? It isn’t for want of trying. Worldwide security spending will rise to $96 billion this year, according to estimates from Gartner. Much of this goes on the growing variety of security products available to protect critical applications from failure. But unfortunately it isn’t as easy as simply buying a product and plumbing it in, due to the complexity of underlying IT systems.
The vast majority of financial services firms run on complex, sprawling, outdated legacy structures, that have been patched over multiple times by various people as new technology has emerged. Often the people who first set up these infrastructures have moved on from the company, leaving their successors with a complex opaque network of applications which depend on each other in unseen ways, with no complete picture of how the system works.
Within this, the use of data has also become more complex – and therefore much less easy to defend. Firms used to simply keep sensitive data all in one centralised location that could be protected by a single firewall. But now, data is stored and shared between multiple locations, through third party applications and employee and customer devices.
To remain safe, security policies need to ensure that critical applications only communicate and share data with the places that need it, with necessary air gaps between other parts of the system. But this web of interdependencies means that plumbing in a policy in one place can have unforeseen consequences downstream that can prevent other systems from running.
Before installing new security policies, financial services firms need a more thorough understanding of what is going on in their existing IT architecture. For this, they need a real-time, living picture of the entire network that maps every independency between each part. Companies can only decide which products are the most appropriate, after gaining this level of visibility, and working out what effects each policy could have on the system.
Many firms invest in security products before working out how they can function in the existing environment, and try and work backwards from this point once they run into problems. But this is the wrong way to approach securing functions. Without starting from a point of visibility over the infrastructure, there is no way of telling which product will be the most appropriate.
And this visibility is even more necessary in order to stay within new regulations that come in this year. One of the MiFID II rules, for instance, requires that testing and production environments cannot communicate, to make sure that any rogue untested code does not have an effect on the wider working system. GDPR calls for companies to have the technologies in place to prevent and detect any kind of leak or cyber breach, and report it in the space of 72 hours. This kind of awareness about the communication between testing and production environments, or the locations in which personal data is being shared, is impossible without visibility over the entire network.
To reach this, application and regulatory officers need to work with their colleagues in infrastructure, to understand exactly what is happening, what should happen, and what can happen. As the threats from cyber attackers become increasingly sophisticated, and regulations demand growing assurance against these dangers, financial services firms need to develop new ways to assure their critical applications.