By Accenture
As senior executives weigh their next moves in cyber security, we advocate a proactive approach. Anticipate what new threats may challenge the enterprise and which security elements can help to improve performance; then weave the right security features into the enterprise’s infrastructure and digital assets.
Getting ahead of the threats is not easy, to be sure. The measures taken in most financial services enterprises have been largely reactive, designed to defend against a repeat occurrence of an attack that has already occurred. Reactive capabilities are still useful, to reduce response times to and reporting of incidents, but a reactive mode is not sufficient.
Effective cyber security should be incorporated into processes throughout an enterprise, not just on the perimeter. As financial services firms build, acquire, or source the right combination of capabilities, the experiences of leading cyber security professionals offer up a set of six principles that have proven quite effective in guiding the development of a comprehensive cyber security strategy. The following are six key principles of cyber security.
Identify and secure the IT assets themselves, not just the perimeter.
Because of the complexity of their business model, many financial services firms don’t know the channels through which all of their information assets are accessed or where they’re specifically located. There should be a detailed plan to protect these assets and capabilities from being compromised, including a robust test of the plan to make sure that it’s viable.
Financial services firms should embed cyber resilience and defensive capabilities throughout the organization, not just individual components. An organization must be agile enough to keep pace with changes in demand and in the nature of cyber threats.
Financial services firms do not always clearly define cyber security governance structures, including specific oversight responsibilities. They may also find that the management responsibility and accountability can be dispersed and fragmented. As a result, it’s not clear where the buck stops on information security. That’s one reason for the big gaps in IT security policies among financial services institutions.
By contrast, organizations that exhibit a culture of security do make responsibilities and accountabilities explicit. They go beyond the leadership levels and focus on employee awareness and accountability. Looking at examples from other industries, Sun Microsystems, General Electric, and Intel all have formally extended the remit of their privacy officer’s role to information governance and/or data security to ensure a holistic approach to information management and protection.
Some financial services organizations, such as Bank of America, have hired cyber security “czars” who have specific responsibility for cyber security strategy. These executives lead such activities as the coordination of industry-wide exercises like the Cyber Attack against Payment Processes Exercise conducted recently by the Financial Services Information Sharing and Analysis Center.
Such organizations tend to view themselves as stewards, not owners, of personal data and take actions to protect data entrusted to them.
Organizations should create a common set of data privacy and protection standards that can be applied consistently from country to country to minimize complexity, cost of compliance, and chances for breaches while at the same time enabling responsible data sharing and global data flows.
Many serious breaches result from application-level weaknesses. Legacy applications now have to be reengineered and new applications need to be developed under a new security paradigm. Most financial institutions should extend security to the device level as well to the application layer.
Trusted applications development and delivery thus is a critical component of a cyber security initiative. Financial services firms need to be able to measure an application’s resistance to attack and its ability to process and handle sensitive information regardless of who builds or maintains it. The system should undergo stringent testing to help confirm that mission-critical applications can be run with reduced risk.
Identity management has become a top security priority. For many digital systems, the traditional paradigm of identity authentication is based on knowing phrases or numbers that once were considered secret or at least protected. Now much of that information may be commonly available or at least discoverable.
Mastering the ability to determine whether customers, suppliers or employees are who they claim to be when they access enterprise systems and facilities is crucial to enterprise performance. Yet with IT budgets under increased scrutiny, many CIOs are charged with reducing risks and threats while also improving the administrative and cost efficiency of managing user identities and access to information.
Effective identity and access management programs should create value by embedding pervasive security without sacrificing functionality and ease of use.
Financial services firms can take advantage of improving price performance characteristics of other authentication technologies, such as biometrics (fingerprint or retinal scans) and smart cards, to speed the time to value and increase the return on investment of identity management initiatives.
Overall, mobile banking is expected to reach 400 million people in the next three years. Financial institutions are looking to mobile devices and are proliferating applications to take advantage of this channel.
For example, JPMorgan Chase & Co. is offering a mobile remote capture application that customers can use to electronically deposit checks with their phones. USAA Federal Savings Bank, which serves members of the military and their families, introduced a similar service last year.
But for U.S. financial services institutions, several considerations come into play. First, there are new devices and new operating systems to consider – iPhone, Android, Windows mobile, BlackBerry, and others. Each of them has its own way of addressing security, which has implications to the development teams that need to compensate for security flaws across multiple services.
A related consideration is that mobile devices are easily lost or stolen. Most come with removable media such as a SIM card that may store a huge amount of personal data including account numbers and passwords, and can be breached relatively easily by a talented hacker.
A third issue is that many U.S. consumers have not yet grown accustomed to mobile financial services.
Financial institutions should be preparing now for a sustained effort in consumer education and communications about mobile device security ― good password protocol, how to erase data remotely if a device is stolen, and so on.
Keeping ahead of risks means, first of all, understanding exactly which key risks the organization is facing. Organizations should collaborate with business partners that take equal or greater care with data, and rigorously assess partners’ knowledge, practices, and experience in managing sensitive data across organizational and national boundaries in accordance with local privacy laws and industry regulations.
Banks and other financial services institutions therefore need to get more serious about monitoring suspect activity. They must actively gather cyber intelligence and watch downstream activities in order to:
● Recognize back doors and vulnerabilities unseen by point compliance and checklist efforts
● Recognize complex and chained patterns that indicate the initiation of an attack
● Expand the scope of vulnerability assessment or penetration tests
● Harness external sources of threat intelligence to understand and train for zero-day exploits
● Detect reconnaissance activity by a terminated employee or a hacker forum.
Software vulnerabilities are readily available sources of threat intelligence. Staying current with evolving threats will entail keeping staff educated and trained in cyber security. In a recent Accenture survey of business leaders and individuals, internal issues ― employees (48 percent) and business or system failure (57percent) were cited most often as the source of the breaches.
Pattern analysis tools, similar to customer relationship management tools, can help to flag anomalies in employee behavior as it occurs. Some financial institutions are also trying to be more predictive about insider fraud. They might require periodic urine testing, pull employee credit ratings frequently, or use similar techniques to anticipate which employees might turn rogue. Such activities may be opposed by some executives on grounds that they demonstrate a lack of trust, but most employees will accept these measures if the “trust, but verify” approach is communicated effectively.
This column was contributed from Accenture Korea.