In these dark days of professional, organised cyber crime and state-sponsored cyber espionage, the world of business is looking for a cyber superhero to save the day. But in the quest for a cyber superhero, business is failing Lois Lane-like to recognise the Clark Kent in their midst.
Cyber security is suddenly topping the agenda of regional councils, national governments, local authorities and business boards as they begin to realise the value of the data they hold and the dire consequences of it falling into the wrong hands.
In the rush to get it right, however, they are overlooking the principles of best practice that served them so well in the past.
IT dictionary WhatIs.com defines a best practice as a technique or methodology that, through experience and research, has proven to reliably lead to a desired result. It is through this lens that it becomes clear that the Clark Kent of cyber security could possibly be the financial sector. IT security researchers routinely pointing to the financial sector as being streets ahead in deploying techniques and methodologies to counter a rapidly-evolving range of cyber threats.
We are seeing significant investment in preparing threat intelligence capabilities
Nick Seaver, partner, Security & Resilience, Deloitte UK
The nature of the business is largely responsible for this success. First, to keep up with customer demands and remain competitive, the business side of banks and financial institutions is typically highly demanding on the IT functions to keep up with the fast pace of technological innovation, such as mobile payments.
Second, business managers recognise that information security is critical to what they do. Consequently the approach and thinking around the topic is more advanced and tends to be more risk-based than other sectors, as risk management is key to the core business.
Information security has been more discussed at senior management levels and business risk committees in the finance business than in any other private sector in the past five years. More recently, boards have begun asking questions about cyber threats, says Nick Seaver, partner, Security & Resilience, Deloitte UK.
While IP theft is a huge problem in other sectors, it is less visible than a data breach in the financial sector would be, so managers tend to place greater emphasis on information security than their peers in other industries, says Seaver.
John Colley, managing director of information security professionals' organisation (ISC)², has worked in two major UK banks. He says he was surprised at first to find that protecting customer data is a top priority. This is because it is linked to protecting the bank’s reputation.
“We tend to be pushing on an open door in discussions around information security in the financial sector. In other sectors, it is often a question of having to kick the door in,” says William Beer, director OneSecurity at PricewaterhouseCoopers.
The third main reason financial sector organisations tend to be ahead of the pack on information security is that it is a highly regulated industry, and regulation has long been a strong driver of the recognition of the importance of information security and spending of projects to deliver it.
The Financial Services Authority, which was solely responsible for the regulation of the financial services industry in the UK until 2010, has been proactive in raising awareness around cyber threats and the importance of information security, particularly as the financial services sector forms part of the UK’s national critical infrastructure.
In recent times, says Beer, the imperative of regulatory compliance has been supplemented by customer demand and expectation. This trend has been spurred by consumer organisations, such as Which?, taking the initiative to publish lists of the safest banks for online transactions.
“This sends a strong message to every marketing head in the industry, taking IT security beyond the IT department, making it a much broader conversation,” says Beer.
Given these three powerful drivers of competition, risk-management and regulation, software and systems developers in the financial services sector tend to be better at incorporating security by design with multiple checks and balances, building on years of best practice to secure customer-facing and internal IT systems.
A key competency is the development and deployment of sophisticated context-aware monitoring systems. For example, these use factors such as geographical location to identify anomalous behaviour that triggers intrusion alerts or additional authentication procedures to counter fraud.
The financial sector uses the same approach to correlating, slicing and dicing information for making security decisions as they do for making credit and lending decisions, which is something UK business would do well to emulate, says Seaver.
The sector is also leading in data classification and segmentation, data-centric defences and the embryonic trend towards intelligence-led security that ensures he right analytical questions are asked in the light of real-world attack methods and other developments in the threat landscape. “We are seeing significant investment in preparing threat intelligence capabilities,” says Seaver.
Jelle Niemantsverdriet, principal consultant at Verizon’s Forensics and Investigative Response team, says the sector is particularly good at detecting data breaches and fraud. Most other companies are unaware of data breaches until they are notified by third parties, he says.
Cyber attack simulations is another area financial institutions are investing in to test how they would respond, says Niemantsverdriet.
Financial sector organisations have long recognised the importance of protecting the application layer, says Colley. Consequently penetration testing of all business applications and code inspections are well established practices.
Banking and financial sector organisations are also acutely aware of the importance of people to information security. They do not rely on technology alone, conducting comprehensive employee screening to reduce the risk of insider threats. Financial services companies deploy some of the best security awareness and education programmes for staff and customers. This includes a high level of investment in security certification for IT staff, says Colley.
For all these reasons, the banking and financial sector could and should be the superhero of information security – but beneath the generalisations lurks another reality.
In truth, it is mainly the retail and investment banks who are the best at information security. The same good practices are not necessarily found in asset management and insurance firms or small and private banks, Beer cautions. The level of information sharing also differs from sub-sector to sub-sector.
In addition to a few high-profile cases where substantial fines have been imposed, the Financial Services Authority (FSA) sees hundreds of other data breach cases that never hit the headlines, says Richard Maddison, deputy head of resilience at the FSA.
According to a 2008 study, organisations' resources are often poorly co-ordinated, commercial off-the-shelf applications are often not tailored properly and around half do not have formal security training and awareness programmes, Maddison told the Govnet Cyber Security 2011 conference in London.
Some organisations in the sector were also found to be overlooking the fact that junior staff are often in high-risk positions with access to sensitive information. Some organisation fail to encrypt all USB devices and many lack good disposals processes for computers containing personal and valuable data.
A recent simulation exercise by the FSA revealed that none of the participants was clear about communications, and there was a lack of clear leadership, according to Maddison. In these things, the financial sector looks to government for leadership, he said.
While the financial sector is pointing the way and taking the lead in some respects, other industries would do well to learn from the best while avoiding the weaknesses highlighted by the FSA and look to government for best practices, particularly in handling large-scale cyber attacks.
Businesses seeking to emulate the success of the financial sector have several options open to them. These include including hiring people with IT security experience in the financial sector and government, and joining security and risk-related forums to tap into community-based knowledge resources.
But in doing so, it is important they avoid the kryptonite-like capacity for disaster in failing to develop common standards of information exchange adopted by sub-sectors. It is imperative they develop clear lines of communication and leadership in a cyber attack situation.
While there may not be any ready-made Clark Kents, Bruce Waynes or Peter Parkers about to step out and solve the information security conundrum, the UK’s newly-announced Cyber Security Strategy – with is emphasis on public/private partnerships and information exchange – is an opportunity UK business should not miss to help make real information security a reality.
This was first published in November 2011