Tenable's Adam Palmer, Chief Cybersecurity Strategist, and John Salomon, FS-ISAC Director, Continental EU, Middle East, & Africa, explain the benefits of CFOs and other executives involving cybersecurity in their roles.
A commissioned study conducted by Forrester Consulting, on behalf of Tenable, found that currently only four in ten UK business leaders can confidently answer the question, “How secure are we?” There is a disconnect between business leaders, financial teams and security leaders in how they manage and communicate cyber risk. As such, cybersecurity needs to evolve as a part of the business strategy.
The Cybersecurity “Communication Gap”
Most mature businesses understand how to perform a basic assessment of the wide range of risks that impact their organisation. Cyber risk is often the exception. Cyber risk management is well established. However, business leaders, such as CFOs, don’t usually “speak” security, and techies don’t often know how to quantitatively measure, or explain, the degree of exposure to cybersecurity threats in a business context. As a result, the link between cybersecurity and the business can be lost in translation. Security is often seen solely as a cost to the business, rather than a means of preventing losses, or even a driver for increased revenue and overall success. Aligning the security programme to financial objectives improves understanding of value and drives support for corporate policies that support effective cyber risk management.
Cybersecurity Awareness – a Two-Way Street
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO. Success depends on the rest of the organisation making an effort to also understand cybersecurity risk. This is not to say that a CFO must be a cybersecurity expert, as the onus is on the CISO to “speak the language of business.” Rather that financial leaders should at least have a fundamental grasp of cybersecurity. Using car ownership as an analogy, a driver does not have to know how to assemble an internal combustion engine. It is reasonable, though, to expect a competent driver to understand how to change a flat tire, check the oil level, and most crucially, when to listen to a professional mechanic.
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO.
Most importantly, the infosec organisation must not be seen as a necessary evil. Rather than treating the CISO and their team as expensive alarmists, a CFO must make an effort to comprehend some of the basic concepts of cybersecurity, and the ramifications to the organisation’s finances of not having a capable, empowered security organisation. Furthermore, the cybersecurity organisation can only do its job effectively if their security risk assessment activities are backed by unambiguous, strong policies.
Seeking Clear Answers from the Security Team
The CISO must distil the highly complex topic of cybersecurity into concise, relevant messages without “dumbing it down” for business and finance leaders. While the CISO should present a measurable view of the organisation’s cyber risk exposure using internal and external comparative benchmarks, the CFO should ensure they understand the basics around:
- Where are we exposed?
- Where should we prioritise based on risk?
- How are we reducing our exposure over time?
Describing the target state of the security programme should be based on an understanding of risk, not blindly applying capability maturity levels. Organisations need the ability to identify and quantify their level of risk and exposure. This should be done in collaboration with the C-Suite. Cross-functional collaboration will turn the organisation’s security strategy into a “living” strategy, and ensures business alignment on priorities, costs, and needs.
Is compliance the end goal?
Many organisations will look to regulatory standards to determine their cybersecurity goals or “target state.” While there is value in meeting these baseline requirements, checking a box doesn’t necessarily equate to appropriate secure practices or addressing financial risk. Minimum, compliance-based security is not adequate security. Instead, organisations should work to really understand their critical assets, identify the vulnerabilities that affect them and create a security programme that addresses this.
By adopting a quantifiable approach to security that benchmarks internally and externally, and is aligned to business and finance objectives, it becomes much easier to define a target risk state and measure overall effectiveness. This also allows a firm to get a head start on meeting their regulatory requirements and improving communication with regulators.
CFOs need to work with CISOs in order to gain an understanding of their company’s security risk including the financial costs associated with it - both from a risk perspective, but also where technology investment might be needed. While finance can’t be expected to understand the technology or how it works, it is important to understand why it matters, including the role each new investment plays in closing the cyber exposure gap. To provide the level of detail needed to determine and reduce risks, the CISO needs to be able to determine, understand and report the following information to senior management:
- See: Complete visualisation of the entire modern attack surface allows anyone, from analyst to executive, to quickly understand and explore the organisation’s risk profile. This helps underpin the reasoning for taking action
- Predict - Advanced analysis and risk-based exposure scoring that weighs asset value and criticality, against vulnerabilities with threat context. This provides clear guidance of what to focus on first.
- Act - Exposure quantification and benchmarking enables effective comparisons of internal operations, and also allows this to be tracked against peers. This identifies areas of focus and suggests actions needed to optimise security investments.
[ymal]
Stronger together
Historically, cybersecurity initiatives are seldom aligned with business and finance objectives, but that must change.
Security leaders are challenged to prioritise where they focus effort — not just when it comes to vulnerabilities, but their entire cybersecurity strategy in general. By placing cyber risk management as part of an overall risk framework, business and financial executives can more easily assess whether best practices are being implemented effectively.
To do this, the CFO must work with the CISO to align cost, performance, and risk reduction objectives with business needs. This means providing a holistic understanding and assessment of the entire attack surface, with good visibility into the security of the most business-critical assets. The CFO should seek defined metrics and benchmarking processes, tied to business performance and process improvement from the CISO. Adopting this transparent, quantifiable approach will help the business understand cyber risk clearly, predict new threats, and act effectively.
The result is business-aligned security leaders that ensure their strategies are in lockstep with financial priorities. This collaboration with the CFO not only develops effective strategies and communicable metrics, but actually works to support organisational goals.
Karoline Gore explores some of the latest developments in fintech and what they mean for the security of online payments.
The current health crisis has ushered in a new era of digitalisation, with a recent McKinsey report showing that COVID-19 has sped up the adoption of digital technologies by several years. The share of digital or digitally enabled products, the report found, has been accelerated by an impressive seven years in a matter of months. This means that, for most companies, online security has become of the essence so as to avoid losses and maintain a sound reputation in their respective industries. These are just a few technologies that are enabling companies to breathe easier in the knowledge that neither their nor their customers’ sensitive data will be exposed.
Real Time Payments
Deloitte identifies ‘real-time payment’ as a key technology enabling consumers to enjoy faster settlement periods, notifications, and consolidated reporting. This technology is key in an era in which ubiquitous connectivity and the boom in the use of smart devices mean that many consumers are using their phones to pay merchants and friends. There are many ‘faster payment’ programs, reports Deloitte, including the Interbanking Electronic Payment System (SPEI), which clears low value transactions every 20 seconds throughout the working day, and ‘multiple batch’ clearing, which operates similarly to traditional systems but takes place various times a day. The ability of payers to receive quick notifications made quickly enables them to identify any fraudulent payments made.
Dynamic Security Codes for Credit Cards
Identity theft is something both sellers and buyers can experience during online transactions. However, there are key differences between gateways for payment and merchant accounts, along with the type of fraud experienced by each party in a sales transaction. Merchants can suffer cybersecurity issues when unwittingly contracting the services of fraudulent providers, while customers can experience identity theft if the payment gateway (the link between their bank and the merchant account) is weak. Dynamic security significantly boosts the safety of payment gateways through dynamic codes. The latter replaced static CVV2s on the back of cards via a tiny LCD that displays dCVVs changes periodically. App-based dCVV2s, meanwhile, remove the need for cards with batteries and LCD, which pose a greater cost for consumers.
[ymal]
Cloud-Based Payment Systems
Research firm Technavio predicts that global payment gateway systems are predicted to grow by $23.45 billion between 2020 and 2024. This can be attributed to cloud computing technologies being adopted in SMEs and the growing demand for cloud-based solutions to collect online payments. The cloud enables merchant services providers to rely on platform-as-a-service models.
The latter enable them to design, host, and release applications speedily, without having to run a personal server. As such, buyers can make payments through convenient mobile banking apps or by scanning QR codes. Cloud services allow for seamless integration between services like Apple Pay with electronic funds transfer at point of sale.
The boom in digitalisation and online sales models mean that greater security is key. The latter is being delivered by fintech innovations such as real time payments, dynamic security codes, and cloud-based payment systems. These technologies are working together to ensure security is quick, efficient, and informative in terms of real-time movements.
In a statement on Thursday, trading app Robinhood confirmed that a “limited number” of customer accounts had been targeted by cybercriminals, though the Robinhood service itself had not been compromised.
Though Robinhood did not specify exactly how many accounts had been affected, it had been previously reported by Bloomberg that almost 2,000 customer accounts had been infiltrated, citing a person with knowledge of Robinhood’s internal probe.
The attacks prompted a backlash on social media, with several users failing to contact the company, which does not list a customer service phone number. Bloomberg’s report noted that Robinhood was considering adding a phone number in addition to other tools.
Robinhood said that the accounts may have been compromised after cybercriminals breached personal email accounts outside of their service.
"The security of Robinhood customer accounts is a top priority and something we take very seriously," the company said in a statement. “We always respond to customers reporting fraudulent or suspicious activity and work as quickly as possible to complete investigations.”
Robinhood is now working with affected customers to secure their accounts, advising that users use two-factor authentication to better protect their data. "2FA adds a strong layer of protection for your account, even if your password is weak, reused, or becomes compromised,” the company said in a push notification sent to customers last week to mark National Cybersecurity Awareness Month.
[ymal]
Robinhood is a California-based company that offers financial services to 13 million customers through its mobile app and website, enabling them to invest in stocks, ETFS and cryptocurrencies.
Many start-up businesses are short on cash, and there is a temptation to try and save money by missing out costs which are deemed non-essential in terms of the day-to-day operation of the business. In reality, legal protection and a sound financial strategy could be the difference between a short-lived project and a long-term success.
Here are 7 ways to ensure your start-up business is legally protected.
1. Structure your business
When you go to register your business with the state, you will need to choose a business structure and the choice you make will decide how much you pay in taxes as well as your personal liability. Your options are: Sole Proprietorship, Partnership, Limited Liability Company (LLC), Corporation, or S Corporation. While your choice will be dependent on many factors, many businesses become an LLC as this separates your personal assets (home, vehicle, savings) from your business assets. You will also need to apply for a tax ID number and ensure you have the appropriate permits and licenses.
2. Get insurance
Although you might think or hope that you will never need it, every business should take out commercial liability insurance. This protects your business financially if your company is sued by a third party such as a customer or vendor. General liability insurance does not cover things that happen to you, your employees, or commercial premises. Additional insurance policies you may want to consider include professional liability insurance (which covers costs incurred because of errors in your work), commercial auto insurance which covers damage to commercial vehicles and property, and workers’ compensation insurance.
General liability insurance does not cover things that happen to you, your employees, or commercial premises.
3. Contracts for employees
Whether you will be taking on employees soon, or in the future, you need to ensure that you are compliant with the law, your responsibilities as an employer, and employee rights. This is a complex topic, so be sure to consult with a legal professional to ensure you have covered all areas including health and safety, code of conduct, discrimination, working hours, etc. If your employees will be working on premises, you also need to ensure that you are providing a safe work environment with all the necessary risk assessments, equipment, and precautions.
4. Working with outside suppliers
If you will be outsourcing aspects of your business to another company, you need to ensure that you cannot be held liable for their actions. For example, if they are not fair to their employees in terms of health and safety, pay, or ethical working practices, you may become tarnished by association.
It is also essential that you read the fine print of any contracts you sign with suppliers, question any points which you are not comfortable with, and do not be afraid to negotiate.
5. Protect your intellectual property
An original business idea may need to be protected by trademark or copyright to prevent another company from taking advantage of your creativity, but this can be complex, so it is best to get advice from an intellectual property lawyer.
[ymal]
6. Pay your taxes
While keeping track of income and expenditure might be simple in the beginning, as your business grows it will be easy to lose track and make mistakes. A professional bookkeeper will be able to advise you not only on what receipts you need to keep and what taxes you need to pay, but they can also complete your tax returns and ensure you take advantage of any tax benefits you can claim.
7. Cybersecurity
Whether you are running your business from one computer, several computers, or a combination of devices, all your technology needs to be protected against cyberattacks. You not only need to secure your sensitive data and financial information, but the law is increasingly strict regarding businesses which are not protecting customer and employee data adequately.
The COVID-19 pandemic has forced a major shift in working practices across the globe, putting the impetus on companies to rapidly relocate staff to home offices and switch to remote working solutions. Nathan Howe, Director of Transformation Strategy at Zscaler, examines the unusual consequences that this has had for financial services.
The movement of all employees to home offices may be the most visible impact of the virus on organisations, but behind the scenes, and at the highest levels of organisations, there’s been a distinct reallocation of responsibility. Although an overused phrase at this point, these are unprecedented times, and have called for unprecedented actions from businesses to ensure business continuity.
Although these changes have spanned the breadth of managerial and executive levels, there’s one aspect I’d like to focus on: the increased role of the finance function in cybersecurity.
Unprepared for remote working
For many businesses, when the pandemic hit, they were unprepared for this scale of remote working. Companies that had already opted not only to host data and applications in multicloud environments, but also to adapt their security and remote access infrastructure to meet the needs of a modern mobile workforce, had the least difficulty coming to grips with the new situation. These were in the minority, however, and many sectors, including financial services, felt the pinch on their historic resistance to cloud adoption.
Companies operating in this more conventional way would, at best, probably have planned for no more than one-third of their staff to work from home on a temporary basis at any one time. In this unforeseen situation however, bottlenecks quickly developed as a result of a massive increase in data traffic. This flood of data pushed the traditional hardware or licence-based infrastructure for remote access to data and applications to its limits.
For many businesses, when the pandemic hit, they were unprepared for this scale of remote working.
As these companies placed their security technology at the perimeter of their system, all of the data traffic from the remote workers’ home offices had to be diverted through the data centre before they could access applications, which created a less-than-ideal foundation for a positive home-working experience.
Although one would imagine that all these issues would land on the desk of the IT team or the CTO, the reality of the situation was that, as the scale of the issues affected business productivity and continuity across entire organisations, they became a blockade to essential cash flow for businesses, quickly becoming a matter for finance.
Functionality vs. security
What we saw across the earliest period of lockdown was a cost-effective approach to cybersecurity that was driven by the finance function. During the search to identify the factor holding companies back from high-performance remote working, blame fell on the firewalls or remote access VPNs used as perimeter-based security infrastructures, or on the devices used by employees. Sacrificing these solutions would increase productivity and shore up the bottom line but penalise the organisation’s security posture.
Essentially companies were faced with a difficult choice between ensuring normal levels of productivity or providing secure remote access—albeit with frequent drops in the connection and with hardware being switched off at the bottleneck. Due to the sheer number of different devices used in the workplace, it was not always possible for companies to insist on compliance with standardised security policies across all devices.
[ymal]
I’ve seen for myself businesses making those security sacrifices. Essential security processes, such as SSL decryption, have been bypassed entirely to make remote working easier. These are quick and dirty fixes to increase connectivity and productivity, without addressing the broader issues around improving network architecture to facilitate better remote working standards. They may work in the short term, particularly given the speed in which connectivity had to be ensured at the beginning of lockdown. But in the long term, these “fixes” not only increase the risk to an individual business, but all businesses. Cybersecurity vendors use the data on threats collected from customers to improve their own solutions over time, so this function-over-security dynamic has a far broader risk element.
Switching the narrative
As many of us begin to return gradually to the office, the security posture for organisations needs to be restored. The bypassing of security in favour of business continuity was, for many organisations, a difficult but essential decision during the most tumultuous periods of lockdown. What I’d hope the finance function has learned from its time with its hands on the security wheel is that they need to invest in converting their emergency workarounds into practical approaches for the future. Employees have come to value the greater flexibility of being able to choose where they work and as yet may be unwilling to bid farewell to the option of remote working.
Emulating those businesses that, at the outset of the pandemic, had the multicloud security and remote access infrastructure already in place would be a good place to start. The new world of work requires an approach that combines connectivity, security, and performance without making dangerous sacrifices.
Martin Landless, Vice President for Europe at LogRhythm, explains how financial services can keep pace with outside threats.
It is more than possible to remain at the forefront of the digitalisation of the industry and to keep secure, but to do so relies upon focusing on a confluence of people, process and technology. Through this holistic focus, a culture of cybersecurity can be created that protects the important institutions through which it is fostered.
Simply put, cybersecurity is now an integral element of financial services. After all, assets and interactions have moved online. However, in the face of a cyberattack, a company can be subject to a costly halting of operations, a colossal hit to consumer confidence and a General Data Protection Regulation (GDPR) fine from which it might never recover. This is especially true throughout the COVID-19 pandemic, where, according to the National Cyber Security Centre (NCSC), cyberattacks are reaching fever pitch.
A mature security organisation
By their very nature given the sensitivity of the data they manage, financial services organisations must have a mature security operation in place to deal with the threat actors they attract. The maturity of a security operation can be measured by two important variables: mean time to detect (MTTD) threats and MTTR (mean time to respond) to them.
Reducing MTTD and MTTR is crucial and can be achieved through technological solutions which allow for the automation of workflows; this frees up the vital time of security teams to focus their attention where it is most needed. This is especially important in an industry facing a stark skills shortage, with the UK Government finding that 48% of businesses have a cybersecurity skills gap in 2020. Visibility is another salient variable, as cybersecurity teams must be able to immediately see shifts in behaviour in the network to recognise imminent threats as they arise.
Simply put, cybersecurity is now an integral element of financial services.
However, although technological innovation in the security response is a foundation of an effective culture of cybersecurity, this alone will not guarantee safety from attack.
Communication with the board
It is upon the CISO and their security teams to make sure cybersecurity takes important precedence in the minds of all who work at an organisation – after all, it takes one employee falling victim to a phishing email to compromise a business. At the board level, CISOs must ensure that executives understand the challenges security teams encounter as an organisation navigates business dynamics.
As with all things, communication is vital in this pursuit. An aspect of this is in quantifying to the board the benefits and return on investment an effective security posture can entail. One method that a CISO can use to create a high trust environment is through partnering a member of the board with the security team.
This partner can articulate perspective to the team from a purely business standpoint, allowing the team to produce intelligence to the overall board that exhibits the business value of the security operation centre’s (SOC’s) methods and goals. This collaborative approach will encourage the understanding security teams have for business goals and the board’s understanding of security necessity.
Security through business growth
One common event that may be viewed in a different manner by the board and security teams is when an organisation encounters business growth. Although such growth may represent that a business is in robust health, it also facilitates multiple avenues through which a company can come under cyberattack.
[ymal]
For a start, cybercriminals keep close watch of business news and will be aware of a company’s raised profile. In the event of new staff, through partnerships or increased employment, security teams must make sure each new employee is vetted and safely added to the system. In the case of acquisitions, security teams too must effectively monitor new structures that are added to the network, and third-party connections with whom they are not yet familiar. Indeed, a Gartner study earlier this year identified third-party cybersecurity risk as a key concern for half of legal and compliance leaders.
Key to this issue is the question of security budgets, and it is here board-level support is important. Traditional security budgets are often determined in advance and follow two common pricing models used by security vendors. These are the user-based model and capacity-based model; in the face of growth, both are fixed, and may leave security teams making difficult decisions as to where they safeguard their organisations.
Executives should instead employ a subscription-based model that offers the guarantee of scalable security at a determined rate; this will greatly alleviate the stress felt by security teams in what often should be an exciting time for an entire organisation.
Changing security budgets to better facilitate the work of SOCs represents a culture of cybersecurity being put into practice. Technological solutions are provided based on an understanding between security teams and the board on what is needed, allowing for better performance in MTTR and MTTD.
The future lies in cybersecurity
As Covid-19 has forced unprecedented circumstances and a wave of cybercrime upon security teams, it is as incumbent as ever for a culture of cybersecurity to be fostered within financial services organisations. Simply refusing increased digitalisation as a means for security will see companies become obsolete in important areas such as customer experience, where their competitors will be innovating. Instead, a holistic approach encompassing people, process and technology will be vital to forging a secure path forward in the financial services industry.
Andrew Durant, the head of the Forensic & Litigation Consulting team at FTI Consulting, offers Finance Monthly an analysis of the impending challenge to finance teams and advice on how they can overcome it.
Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck. For instance, the Resilience Barometer 2020 research from my company, FTI Consulting (involving 2,000 senior executives) found that fraud was perceived as the number one financial crime, with 24% reporting being exposed to it.
This would mean that an enormous £28 billion was lost to fraud in 2019 alone by FTSE 350 businesses (based on an average loss on 5% of annual turnover - see 2018 ACFE Global Fraud Survey, Report to the Nations). Even at 1% of turnover, this would still be sizeable for victim businesses.
On top of this ongoing problem from fraud, in times of most global crises a spike in fraud typically follows. Sadly 2020 is going to be the worst year many of us will experience!
Why do more fraud cases appear after crises? A variety of reasons, such as an increased opportunity available to fraudsters with senior management teams rightly focused on other things, such as trying to keep their businesses afloat and their staff in jobs for a start.
Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck.
What they will not be thinking about is the enemy within. And, in my experience, that is where the greatest risk lies. It is human nature to believe that threats arise from unknown individuals outside an organisation. However, it is more likely to be a fellow employee who knows the financial controls (and the weaknesses in them) and that you trust implicitly.
Crafty fraudsters will see 2020 as a ripe opportunity to pounce. In the current “lockdown” with increased home working, with corresponding less people at work overseeing finance, security and operations, fraudsters will have more opportunity, with less scrutiny, more freedom and fewer questions asked.
What can finance directors and their teams do to reduce the escalating risk of fraud? Here are three areas that seem simple but can actually make a huge difference to preventing and detecting frauds:
1. Encourage whistle-blowers to step forward
Most frauds are detected by tip-offs from employees, especially those who are involved in finance and procurement. Despite protections in place, whistle-blowers still fear that they will become the victim and either be exposed and/or lose their jobs. And, I don’t blame them. In many cases I have investigated, the immediate reaction of the company tended to be “who is the whistle-blower” or “they must have an axe to grind”, not “we need to investigate these allegations immediately and prevent further loss”.
2. Use of temps and contract staff should be monitored carefully
If a member of the finance department become unwell or need to take time off to care for a relative, it may be tempting to backfill with temporary or contract staff. Companies should ensure that they do not drop their guard and carry out fewer checks than normal. Fraudsters have been known in the past to target finance teams that have a higher propensity to rely on contract or temp staff.
[ymal]
3. Be diligent in your transaction approval process
The lockdown now looks likely to continue in some form until at least September, so it is important that finance teams remain vigilant and check all transactions carefully, especially scrutinising carefully any:
- ’Urgent’ transaction requests – in a recent case this modus operandi was used to pay away $5 million to an offshore account;
- Transactions just below an authorisation limit especially if there are multiple payments to the same third party – if you spot this pattern, check back to the contract to see whether there are any “red flags” around the identity of the supplier, the tender process or the approval process ; and
- Journal entries that may be requested, particularly around month or other period ends. This is a frequent method to disguise transactions or to “boost” results.
Despite taking all the precautions listed above, organisations will still suffer fraud. Once discovered, taking the right steps quickly ensures a higher chance of recovering missing funds and a lower chance of losses continuing.
Do not make emotional or hasty decisions
Fraud involves a breach of trust and, therefore, as an employer you may feel betrayed by what has happened. As a result, you may be tempted to take immediate action which may ultimately compound the situation.
Therefore:
Keep an open mind
There may be a logical explanation for the discrepancy that may not be immediately obvious.
Discuss this with as few people as possible
You may be unwittingly tipping off someone involved in the fraud. If you do need to escalate or discuss your concerns, speak to the head of internal audit or legal department. Do not discuss it with a colleague, even if you trust them implicitly (see above regarding the enemy within).
Plan a course of action
The actions taken in the first hours and days after a suspect comes to light can ultimately affect the successful outcome of any action. As the finance director, you will likely have a fraud response plan in place. However, I wonder how many of them are collecting dust, probably also years out of date? Also ensure that senior management in each teams or location knows about the plan, have tested it (akin to a fire alarm, the plan needs to be tested to ensure everyone knows what to do and when).
Finally, I would advise finance directors and their teams not to ignore that “sixth sense”. If you start to feel uncomfortable about something, there is usually a reason.
The number of employees working from home has drastically increased over the past two months, and employers are starting to realise the benefits. In fact, 74% of CFOs intend to shift some employees to remote working permanently, according to Gartner. Allowing employees to work from home was previously used as a method to reduce overheads and as an employee incentive to reduce staff turnover.
Now, however, working from home has become the new normal, and as the workforce becomes increasingly disparate geographically, cybersecurity needs to be higher up on the executive agenda. Organisations need to have the appropriate cybersecurity measures to empower employees to work remotely, whether it be from home, in an office, or on the move. CFOs have the ability to facilitate a conversation with CIOs and CSOs to avoid incurring any additional costs from unnecessary IT help desks and data breach fines. Simon Biddiscombe, CEO of MobileIron, outlines the risks of remote working and potential safeguards.
Productivity
Not only does increased working from home present organisations with a significant cybersecurity risk, it also has the potential to limit productivity. The Office of Budgetary Responsibility has estimated that the financial services may see a 5% drop in productivity whilst enforced working from home policies are in place. CFOs need to carefully balance budgets to ensure productivity whilst maintaining the benefits of remote working.
Traditional cybersecurity principles are archaic and dangerous and threaten corporate resources. The on-premise perimeter has been decimated by a general shift to cloud applications and mobility, and the recent surge in remote working has only emphasised this shift. As more employees use personal devices and networks to access business applications, the line between business and personal data is becoming blurred.
CFOs need to carefully balance budgets to ensure productivity whilst maintaining the benefits of remote working.
Additionally, cybercriminals are already exploiting the relaxed security measures brought about by the sudden need for organisations to shift a large part of their workforce to teleworking, as shown by a Europol report. If a bad actor penetrates a device through a personal channel, what is to stop them from breaching a business application?
The Security Foundation
Organisations need to increase their governance over the devices being used to access corporate data. A unified endpoint management (UEM) platform allows IT teams to secure, manage and grant authorised users, devices and apps access to corporate resources and networks. UEM also provides visibility and insights into usage and patterns that IT can use to determine and enforce compliance. As financial services employees work from home, having this level of visibility over employees’ personal devices is just as important as having control over corporate devices if they are using business applications.
UEM separates the corporate digital workplace from personal activities on a device. This is done by containerising and protecting data and applications through application sandboxing. Device encryption can also be deployed so only authorised users can access crucial data. For instance, when banking staff return to work, a corporate scanning app can allow managers to scan a customer’s ID and passport with a smartphone camera.
Integrating threat detection management with a UEM platform allows for continuous enforcement and protection of data, both on the device and on the network. AI-based software constantly assesses the risk a device poses to a company’s ecosystem as a whole through its entire life cycle. Having this 24/7 capability allows IT teams to mitigate any threats should they arise, resulting in a more secure remote work experience and increased productivity.
[ymal]
Scalable Solutions
Security systems should be reviewed to ensure that all networks, devices, and applications are verified before access to crucial business data is granted. As we look for COVID-19 exit strategies, there is a clear need for any cybersecurity solutions to be scalable to accommodate the fluctuating numbers of remote workers in the future.
The accessibility of UEM means it is a highly scalable solution. The enrolment process is as simple as downloading an application and updating a device. Additionally, employees can use a self-service portal to track, add, or remove devices they have under management. If the user needs to retire a device, unenrolment can be initiated immediately. In the event that a device becomes compromised, IT teams can wipe business related applications to remediate the threats. This ability to deprovision devices remotely and selectively delete data is critical for an end-to-end device life cycle management program.
SaaS Flexibility
In order to be as agile as possible and still meet businesses essential security requirements, UEM platforms are widely available on a software-as-a-service (SaaS) basis. A subscription-based SaaS model provides CFOs more flexibility in their payment structure as they are only required to pay for what they use instead of paying a large upfront cost for a fixed number of software licences.
A subscription offering of UEM generally gives CFOs a better return on investment. Maintenance and support are usually included in the service provided, making the need to purchase a separate maintenance and support contract redundant. Software updates are included in a subscription, helping organisations stay current with the latest capabilities and ahead of potential threats.
As we look to the future, one thing is clear: business solutions need to remain agile. COVID-19 has shone a light on the need for agility when it comes to the enterprise cybersecurity, and CFOs should embrace these solutions.”
The COVID-19 pandemic has not just had a devastating impact on health and society, it has dominated economic and business matters unlike anything we’ve seen in peacetime history, and, across the globe, schools, companies, charities and self-employed professionals are still adjusting to a brand new remote working contingency plan.
Fortunately, as a society, we are extremely well-equipped to adapt to remote working with a turnaround time of just a few days. This was proven by the sheer quantity of businesses, many of whom care for thousands of employees, who just a few weeks ago managed to transform their entire internal structure to a digital environment. Not only is this an inspiring example of human collaboration at a time of crisis but also a true testament to the power of the technology at our disposal.
In fact, remote working has proven itself so effective for some organisations, that it has gone beyond a short term contingency plan; it’s starting to look like remote, or at least flexible working, will be incorporated in the long term for thousands of office-based workers. Clement Desportes De La Fosse, Co-founder and Chief Operating and Financial Officer at Spearvest, shares his thoughts on how the finance sector will be forever changed by the pandemic.
Although it may sound premature to think about a post COVID-19 world, a majority of industry operations are sure to change forever, and, none more so than in the financial sector. For many years, traditional banks and financial institutions have been associated with outdated infrastructure and slow legacy IT systems, which are a burden for financial professionals and consumers alike. In fact, a recent study in 2019 revealed that UK banks were hit by ‘at least one’ online banking outage every day across a nine month period.
Today, the demand for banking and financial services has never been higher: emergency loans, government payment schemes and personal finance management are required for people to survive. What’s more, visiting a branch in person is no longer an option, and therefore financial institutions are forced to invest in capable IT infrastructure and relevant automation, regulation, and finance technology to deal with influx of demand.
For many years, traditional banks and financial institutions have been associated with outdated infrastructure and slow legacy IT systems, which are a burden for financial professionals and consumers alike.
Whilst it could be argued that this much-need update was inevitable, the pandemic has certainly forced many banks’ hands in enforcing this change, and means our financial institutions will emerge from the crisis with a much more capable IT infrastructure. The following areas are where banks are, or should be investing, in the coming weeks, months and years, with insight into how exactly these cutting-edge technologies are impacting the financial services sector for the better.
Artificial Intelligence
Artificial Intelligence (AI) has been a growing trend in finance in the past decade, primarily being used to address key pressure points, reduce costs and mitigate risks. However, the demand for digital banking services as a result of COVID-19 will likely push the sector in the direction of developing and incorporating sophisticated automation and customer service AI.
We’re a few years off the mass adoption of robotics technology of this nature, but it’s safe to say the COVID-19 threat has highlighted the pressing need for more automation and better service technology.
Public Cloud
The shift toward cloud-based computing has already been significant, with most financial institution operating cloud-based Software-as-a-Service (SaaS) applications for business processes, such as HR, accounting, admin solutions and even security analytics and know-your-customer verification.
However, advancements being made in cloud technologies and increasing demand for SaaS applications for remote workers means that soon we could see core services in the financial sector, such as consumer payments, credit scoring and billing, to become stored and managed in cloud-based SaaS solutions.
RegTech
Much like the increasing demand for AI and Cloud-based SaaS applications, regulatory technology (RegTech), can do important work in ensuring financial work remains regulated and legal. The right RegTech, such as automated customer onboarding technology, can also save a firm a lot of time, freeing-up much-needed time to focus on the work that can not be completed by software or a robot.
[ymal]
Big Data
Customer intelligence facilitated by big data and consumer behaviour is an incredibly important tool which can be used for extremely accurate decision making, risk-assessments and revenue and profitability forecasts, to name just a few use-case example.
Some modern financial institutions and start-ups have been using big data and analytics technology for a number of years, and those more ‘traditional’ which may have neglected this cutting-edge technology are depriving their customers of top tier financial advice and insight at a time when they are in need of it most.
Security
Cyber attacks, money laundering and hackers have always threatened the financial services to a large extent. However, with entire workforces online, operating in a remote, sometime unsecure environment, the cyber-threat facing consumers has never been larger.
Thus, cyber-security has, and should, be invested in heavily by financial institutions looking to protect their own client, employee and company sensitive information. At the same time, safe internet and banking practice should be implemented and taught to all members of the general public to ensure they do not give away sensitive information such as payment details.
Fast forward, five years from now, we will look at the pandemic as a trigger that enabled us to spend our time more efficiently, and digital technology and the cloud will be key in facilitating this positive change.
Security has long been the number one priority for organisations when building and maintaining an IT infrastructure, as they seek to ensure data privacy is protected in ever more challenging circumstances. In any given week or month, we now expect to see a headline reporting the latest cyber-attack or data breach, and it’s evident that a number of companies are yet to find a way to responsibly manage the growing cyber threat landscape. The financial services sector is particularly prone to such attacks given the vast amounts of sensitive information it handles. A global report from Accenture and Ponemon revealed that the average annualised cost of cybercrime for finserv companies is - at $18.5 million - over 40 per cent higher than the average cost per firm across all industries. As such, it is imperative that firms within the industry are adopting the right technologies to protect themselves. Stephan Fabel, Director of Product at Canonical, explores the security benefits of financial services taking on new technology.
One of the most well-known security solutions used in banking and fintech today is encryption. The challenge, however, lies in bringing this level of security to the wider industry. Finserv customers expect robust security measures while still being able to benefit from ease of deployment, flexibility, and agility - the combination of which can be a challenge for IT teams to achieve. Yet there are solutions to this issue. IBM has demonstrated one example, working alongside Canonical to provide fintech customers with the technology to optimise data protection and privacy across both containers and multi-cloud infrastructures.
The Arrival of Containerisation
The “secure service container”, developed specifically for container-based applications on IBM’s LinuxONE, offers developers a combination of hardware and software, thereby allowing them to derive the same quality of security that they would on Linux, and in any data centre - whether on-premise or in the cloud.
Finserv infrastructures of today and tomorrow are being built around Linux, precisely because it offers easy deployment alongside providing a highly functional and easily automated stack. Such capabilities have already drawn leading industry players such as Barclays to build whole data centre infrastructures around Linux. In addition to giving IT teams easy access to innovations and software frameworks, open source software also increases trust, which is essential for security compliance in the long term.
Finserv infrastructures of today and tomorrow are being built around Linux, precisely because it offers easy deployment alongside providing a highly functional and easily automated stack.
Equally, a further benefit of open source is the strength of its community of developers, which is very quick to identify and fix bugs or errors. This isn’t the case with close-sourced software, where access to the back-end is limited, making it difficult to assess the reasons behind any problems.
Above all else, containerisation enables finserv companies to unlock new levels of security, cost savings and developer efficiency. The majority of developers are not security experts, and are prioritising cost efficiencies when deploying new systems and applications. Containers allow them to move things to the cloud at the push of a button, and it will run as a virtual machine. Developers have not always had the opportunity to take advantage of the advanced hardware security offered by such technology, which restricts entry to cyber criminals, even if they have physical access to computers.
As a result, it’s not surprising that banks and fintechs are turning to this technology to provide more robust protection against increasingly common attack factors, including malware, ransomware and memory scraping. A report last year from 451 Research highlighted this, with containers (29%) ranked alongside AI and machine learning (36%) as the financial industry’s top IT priorities.
Cryptography and Blockchain
We’ll also see additional threats come to fruition within the next decade or so, as the power of quantum computers becomes sufficiently capable to break all current cryptography keys. It’s essential that the finance sector remains ahead of the game and is prepared for this development in advance. Certain technology vendors have already populated their systems with such algorithms, moving from firmware into hardware. When quantum computers advance to the required level of power, businesses will need to decrypt all of their data, and re-encrypt it using innovative and ultra-secure methods such as quantum cryptography.
[ymal]
Blockchain technology is also set to become one of the principal security algorithms within the banking and financial sectors. Ultimately, the goal is to enable organisations to operate, test and run analytics without data. The sector also benefits from the vast number of innovative new players coming to market and operating within the space - all of whom build their IT infrastructures on non-monolithic systems, thereby freeing themselves of the shackles of legacy systems.
Cloud computing is one of the most transformative digital technologies across all industries. Cloud services benefit businesses in so many ways, from the flexibility to scale server environments against demand in real-time, to disaster recovery, automatic updates, reduced cost, increased collaboration, global access, and even improved data security. Numerous financial institutions around the world are already reaping the benefits of cloud infrastructure to fit their technology needs today and help them scale up or down in the future as economies evolve. According to research by the Culture of Innovation Index, 92 per cent of corporate banks are already utilising cloud or planning to make further investments in the technology in the next year.
The Bank of England is the latest financial institution to announce it has opened bidding for a cloud partner to support its migration to the cloud. Craig Tavares, Head of Cloud at Aptum, explains the significance of the Bank's decision to Finance Monthly.
As the UK’s central bank seeks to move to a public cloud platform, IT decision makers are likely to encounter hurdles along the way. Figuring out the right partner will be half the battle for the Bank of England; it can be very difficult to identify and map out the broader migration and ongoing cloud infrastructure strategy.
The central bank’s cloud computing approach reflects an evolution in the way financial organisations are viewing data and the applications creating this data. The industry wide shift to viewing data as an infrastructural asset could have precipitated the Bank of England’s own move to the cloud. As such, the organisation should consider these four areas to determine their cloud strategy and partner -- performance, security, scalability and resiliency.
Figuring out the right partner will be half the battle for the Bank of England.
Performance
Traditionally, financial institutions are known for their risk aversion and have been hesitant to undertake digital transformation due to their reliance on legacy systems. Fraedom recently found that 46 per cent of bankers see this challenge as the biggest barrier to the growth of commercial banks. But due to issues surrounding compliance, moving completely away from legacy systems isn’t always an option. This is no different for the Bank of England which is looking to move to a public cloud platform in order to enhance the overall performance of customer payment systems in the new digital age.
Legacy IT systems can prove to be a challenge for financial organisations looking to move applications to the cloud. Outdated processes often lead to system failures, leaving customers unable to access services, resulting in increased customer loss. However, with public cloud it is crucial to find the right combination of cloud services by defining the proper metrics for application performance and storage of critical data.
Legacy IT systems will need to co-exist with new or refactored cloud-based applications. Because of this, the bank will need to consider different strategies using hybrid cloud and multi-cloud architectures to align performance and cost. And when it comes to time-to-revenue or time-to-value the bank will be looking at traditional IT methodologies while leveraging cloud native approaches. The cloud native approach will lead to adopting DevOps as a new culture and Continuous Integration and Continuous Delivery or Deployment (CI/CD) as a process. These practices automate the processes between software development and operational teams which as a result will allow the bank to deliver new features to customers in a quicker, more efficient manner.
Depending on the hybrid IT architecture being used and whether the approach is traditional IT or cloud native, there will be different ways to ensure the best application and data lake or data warehouse performance. In order to do this, the bank will need to partner with a technology expert who will be able to offer guidance on the different levels of technology stacks required during the cloud migration.
[ymal]
Security
Central banks have traditionally kept close control of their IT systems and long expressed concern over the security of their customers’ information and financial transactions. As such, migrating to a public cloud platform and handing over to a cloud partner could heighten these worries. Global banks are expected to adhere to strict regulations to reduce the number of security issues within the financial sector and all new technology implementations must be compliant.
As complex regulatory requirements – such as the Markets in Financial Instruments Directive (MiFID) and Anti-Money Laundering rules (AML) - continue to cause a barrier to cloud adoption in the financial sector, the Bank of England should consider a partner that is able to adapt to high regulatory demands. As such, a three-way partnership should form between the Bank of England, cloud consultants and cloud service providers. This particularly applies if the UK central bank were to take on a multi-cloud approach – leveraging Amazon, Azure or both. This way, the three can be aligned and acknowledge the journey the bank has taken so far as well as the future of the financial organisation from a regulatory standpoint.
Adopting a partnership approach decreases the risk of security breaches which often cause client relationships to disintegrate. In the past, security was treated like a vendor-customer relationship rather than an important partnership from day 1. Data is a major focal point in this discussion - how the bank is protecting customer data or how they are managing financial data. Cooperation between partners ensures the configuration of every cloud service being used has the right security measures integrated into it from the start observing compliance requirements like GDRP, data sovereignty and data loss prevention.
Adopting a partnership approach decreases the risk of security breaches which often cause client relationships to disintegrate.
Scalability and Resiliency
With a growing abundance of data, The Bank of England will need a cloud platform that will allow them to scale up or down accordingly. Fuelling the growth of the bank’s data are its applications, which also need special scaling and resiliency considerations just like the data itself.
Keep in mind, cloud is not an all or nothing discussion. Not every application the Bank of England has needs to go to the hyperscale public cloud. For example, it may start with a progression to private cloud and then to a public cloud vendor agnostic framework based on the scaling and resiliency needs. The financial institution should understand which applications are best suited for the cloud at this time and which will be migrated at a future point. They should ensure that cloud is an enabler and not a detractor. It’s important to understand the cloud journey is an ever-changing process of evaluating business goals, operational efficiencies and adopting the right technologies to meet these outcomes at the right point in time based on ROI.
The UK central bank should consider moving to a container-based environment and cloud platform services (but as mentioned, in a hybrid cloud architecture), technologies that will enable an efficient process of building and releasing complex applications with the right scale in/out and uptime capabilities. The bank may incorporate Site Reliability Engineering (SRE). SRE is a discipline that leverages aspects of software engineering and applies them to infrastructure and operations challenges. The key goals of SRE are to create scalable and highly reliable software systems.
[ymal]
The Bank of England has come to recognise the significant impact cloud can have on the business and the benefits cloud technology will bring to their customers. Banks will become leaders in setting the bar for other organisations and industries when it comes to moving to the cloud. However, when it comes to choosing the right collaborator, The Bank of England should seek a cloud partner who is able to meet their business objectives, understands both traditional IT and cloud native approaches, along with hybrid multi-cloud and the data challenge which includes performance, security, scalability and resiliency. Working with the right Managed Service Provider (MSP) partner can provide them with the necessary expertise and developing solutions that bridge the gap from where they are today, to where they want to go.
Grainne McKeever, Marketing and Communications Consultant at Imperva, shares an outline of the regulations with which financial services must comply in 2020.
The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.
The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.
The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.
Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.
A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.
[ymal]
Data Protection
Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.
Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.
Data Discovery
To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.
To protect your assets, first you need to know where your databases are located and what information they contain.
Data Monitoring
A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”
Incident Reporting
Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.
Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.
With a plethora of privacy and security regulations grounding themselves in organisations across the world, there is no choice but to adhere to them to ensure the security of others, as well as making sure that accountability is at the forefront of all businesses in the financial sector. By financial services adhering to data protection, data discovery, data monitoring and incident reporting they will be able to continue to flourish whilst having security at heart.
