Technology infrastructure (TI) at banks involves a dizzying array of things – from employee laptops and desktops, software applications, and hosting networks to networking and cabling linking offices around the world, Internet of Things (IoT) devices, sophisticated enterprise tools, data centers... and so on. Just as a country needs its critical infrastructure for economic growth, TI forms the backbone for the financial industry. TI used to be behind the scene for many decades and catered to important tasks, such as storing financial data in mainframes. However, it then became an enabler of business with rapid growth in communication bandwidth, networking and software products. With the advent of internet followed by the mobile revolution, infrastructure became even more prominent as it became part of consumers’ daily life. Like a double-edged sword, the things that were designed for the advancement of human lives have also been used for wrongful purposes. With the increasing cyber attacks on leading institutions, the need for an agile infrastructure has now become more prominent than ever before. Here are the five main areas where banks need to address their infrastructure deficiencies to take on the cyber onslaught and to prepare for future needs.
Layered Infrastructure
Over the years, technology systems have been added on top of an existing stack to quickly implement an urgent need driven by regulatory or market demands. All the enhancements through software, internet and mobile innovations have been implemented on legacy platforms that supported processing of punch cards. It has grown to a level where technology infrastructure no longer helps the banks – instead, it became an obstacle. From an information security standpoint, banks resort to implementing controls at higher levels, such as network perimeters and user endpoints. This does not provide a foolproof system, as security features have to be built at data level and individual system components. They should also be integrated with network and high-level controls. For instance, the rising cyber threat today is with ransomware incidents, which look for a small weakness in the integrated infrastructure. A successful exploit leads an attacker to access critical customer data, locks the data and then demands a hefty payment in exchange for the sensitive information. The challenge lies with how banks are going to implement the modern technology platform. They cannot afford to stop working, discard all the systems and build from scratch. If you look at the IT budgets of big banks today, they employ thousands of resources and vendors to manage the legacy systems and upgrade them for on-going needs. Investments in modern technology take place in bits and pieces and only in visible areas, such as e-commerce. Banks have to start somewhere and balance the need to keep the lights on, while creating an integrated infrastructure.
Digital Disruption
Digital disruption is shaking up the world, cutting across geographic and industry boundaries at a pace we have never seen before. Countless articles have been written about the ongoing FinTech revolution. What was once considered as an enabler of the banking industry, these startups are now directly competing and eating away the core competencies of banks. The world has moved on from the brick and mortar concept. More and more, people find it a waste of time to make a visit to a bank when they can meet many of their everyday needs digitally. Banks, which are unable to rapidly innovate and switch their customer engagement channels fast enough, will either become obsolete or give way to a massive cyber overhaul. While the FinTechs are not completely immune from cyber threats, there is no infrastructure legacy or baggage that pulls them down. Banks need to think and act like a Silicon Valley organization, so they can address the challenges of cyber crimes, which leverages state-of-the-art technologies.
Global Platform Integration
One of the initial findings of the Paris and Brussels attacks reveal that information sharing was an issue. This is not only true for government agencies but also for banks, which can provide an early warning if the systems can integrate data from multiple systems and provide actionable alerts. Today’s cyber crimes are global in nature with nation-states supporting them from remote areas of the globe. For instance, they leverage the traditional and modern forms of payment from “hawala” to bitcoin that will go under the radar of existing banking controls. Big global banks still struggle to integrate the systems that support trading, payments and other global markets processing. Systems are still different in multiple business units, regions and countries. Banks can hardly provide integrated information in real-time for their own banking needs, let alone getting alerts on potential cyber crimes.
Infrastructure as a Service (Iaas):
Vendors are able to provide IaaS, as they specialize in one or two critical functions and can easily sell their products to others. Technology infrastructure groups need to inculcate an IaaS mindset while servicing their internal lines of business and their technology partners (CIOs). This will enable them to split the cost of their base infrastructure, software products that run on top of it and information security-related controls. Segregating the technology products and cyber security service will enable the business and technology partners to value the importance of having security from design to implementation. Infrastructure and information security groups should have the final approval for any technology platform rollout from design to implementation, as businesses tend to overlook security aspects in the design phase. Technology infrastructure should also consider showing unit cost per transaction to their business and technology partners. This should be risk weighted and potential loss of revenue from cyber attacks should be considered in their return of investment (ROI) approach. The threat analysis should consider the value of data based on its criticality, potential rate of occurrence and its impact on the business.
Behavioral Analytics
Currently, there is a lot of research going on to reverse engineer the cyber attacks and learn the motives behind an attack. This can only be accomplished if the Infrastructure offers predictive and prescriptive solutions. In other words, the platform should be strategic and tactical, global and local, robust and nimble at the same time. For example, many banks' technology infrastructure today offers reactive reports and not a predictive solution. Banks are not in a position to predict their operational losses from people, process, systems and external events in a sophisticated model as data points from multiple systems do not exist in a timely and standardized format. Many cyber attacks are systems-related and all of them result in operational loss for banks.
Conclusion
A new Visa survey shows that millennials will become the customer segment with the greatest personal income, growing to an aggregate $8.3 USD trillion by 2025. At that time, millennials will represent 75 percent of the workforce and 46 percent of total US income. The US Defense Secretary warned that the country was facing the possibility of a “cyber Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s critical infrastructure. One is an opportunity and the other is a threat. What’s strikingly common between them is that banks' technology infrastructure holds the key to address both of them.
About the Author: Senthil K. Selvaraj is a Risk and Compliance executive who managed businesses in US and international regions across Technology & Operations, Consumer, Mortgage and Supply Chain. He is a CISSP, CRCM and CAMS. He can be reached at [email protected] or @sen07_s. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
Financial Services Cybersecurity Regulations
Learn how Tripwire's strategies bolster cybersecurity in the financial sector. Facing heightened risks, financial organizations can benefit from Tripwire's expertise in security configuration management and file integrity monitoring, ensuring compliance with critical regulations and safeguarding sensitive data.