Banks, cybersecurity and virology
How IT departments in financial institutions (FI) handle information security, both in prevention and incident management, could provide a blueprint for governments looking to overcome coronavirus (COVID-19) and get their economies back on track.
As someone who started my career as a healthcare worker (I was a registered nurse) before pivoting into the world of IT, I find myself thinking about my previous career a lot these days. If I hadn’t zigged instead of zagged 25 years ago, I could very well be on the front lines of treating coronavirus right now.
But I think the lessons I learned about safety and stemming the spread of disease are important in a lot of other walks of life, including cybersecurity in FIs. I would actually like to see governments take a more holistic look at how they’re fighting COVID-19 and see if there are principles and practices from the IT world that could help get the disease under control.
The first practice that is essential is understanding the threat. Financial institution IT departments are great at this, which is why there are few major data breaches that result from a lack of preparation. The proactive risk management approach in FIs includes extensive monitoring that red flag any anomalies, no matter how small. This doesn’t stop all problems, but it prevents small issues from becoming big ones. It’s pretty obvious that the early response to COVID-19 was nowhere near this organised and targeted.
Another critical practice is preventative isolation. Again, technology teams at FIs are the masters at this, because the access controls to the network or systems don’t allow issues to metastasize to other locations and systems.
Network access controls that are regularly implemented prevent unauthorised (or undesirable) connections, isolating those that are trusted versus those that are not. It also helps to prevent an issue jumping from system to system, creating a catastrophe. I like to think about it like a shot in an action movie where walls and gates come down inside a building to prevent the thief from escaping. Most governments in the world have restricted travel, which has significantly slowed the spread of coronavirus. But it wasn’t done soon enough, and it wasn’t uniform country-to-country, or even city-to-city.
On the other hand, social distancing is really helping to flatten the infection curve, and it’s something that IT departments in FIs have been doing for years (No, I’m not making a lame joke about introverted programmers). This is where incident isolation comes into play. When there is a problem with a system, that specific issue is very quickly identified and shut down so that it doesn’t affect other systems. That’s an almost perfect parallel between how IT teams fighting cybercrime and epidemiologists combatting COVID-19 think about things: stop the spread by pinpointing the issue and confining it.
Yet another area where governments could learn from FI security teams is having rigid processes and controls in place. Some businesses may have casual security policies with exceptions for everything or anything, but in the financial industry, shortcuts could earn you a job making license plates. Not only are new employees trained on security protocols, such as appropriate use of cloud-based document sharing tools, and multi-factor authentication, giving a true security culture, but there are constant security audits to ensure compliance.
From what I’ve seen, most jurisdictions have been casual and somewhat inconsistent in their anti-COVID-19 measures. What’s legal in one town might be banned in another. Just look at mask adoption in public places to see what I’m talking about.
I don’t want to stretch the analogy too far, but I actually don’t think it’s out of the realm of reality to compare how FIs manage cybersecurity with how governments and health officials should approach coronavirus.
We need more consistency, better preventative controls, faster responses, and more decisive actions. No one knows what the endgame of the coronavirus pandemic will be, but what we do know is that we’re not out of the woods yet. There may still be a more significant wave of the pandemic to come. When they formulate their prevention and response strategies, the people who are trying to keep us safe would do well to look at banks and adopt some of their best practices for keeping data safe and secure.