Attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices, writes Alan Calder of IT Governance

The heartbeat and Achilles’ heel of every organisation, information technology (IT) is crucial to the functioning of the business world. Given this situation, attacks on IT systems can have devastating consequences across industries – among them, the banking and financial sector. In order to protect the best interests of their customers, and the vast tracts of personal data for which they are responsible, banks have already been paying attention to their data protection practices.

The threat landscape is by its very nature ever-changing, however, and sees the continual emergence of new forms of highly sophisticated cyberattack. As a result, banks and financial institutions are wise to upgrade to a distinctly more comprehensive form of cyber security.

A continually evolving threat

Successful cyberattacks – attacks on a business’ IT infrastructure by a malicious third party – are known to have severe consequences, both operationally and on the business’ reputation. Indeed, the UK government classifies cyberattacks as a ‘Tier 1 threat’ in the National Security Strategy, alongside international terrorism, international military crises and major accidents or natural hazards. The distinction between well-funded, state-sponsored cyberattackers and their ‘private sector’ counterparts is becoming more blurred, meaning that commercial organisations and individuals can increasingly find themselves on the receiving end of extremely sophisticated attacks. Symptomatic of this trend is Google’s move in June 2012 to begin warning Google account holders if they are believed to have been targeted by a state-sponsored attack.

In the world of retail banking, where IT plays such a crucial role, a cyberattack can have serious consequences in terms of practical and reputational damage. The sheer volume of personal customer data held by banks intensifies the threat and consequences of a successful cyberattack. In terms of data compliance and IT security, staff are, and always will be, the weakest link, mainly through a lack of understanding of responsibilities and not comprehending the severity of an IT security breach. These misunderstandings are far from trivial, however.

In addition, the threat landscape is constantly evolving. Today, for example, we are seeing the emergence of cyber fraud and cyber threat into the criminal mainstream. This fact, and the fact modern attacks now combine technological and social elements, means traditional technology-only defences are now inadequate. Thus, forms of security that, two years ago, might have been capable of protecting retail banking institutions, are now insufficient in the face of high-level cyberattacks.

A robust and comprehensive approach

In order to tackle specialised cyberattacks such as cyber fraud and cyber theft, banks and financial institutions would therefore do well to adopt a more robust approach to their cyber security. Ultimately, effective cyber security depends on establishing a defence strategy that is not only all-embracing but also interconnected.

One such strategy is that provided by the ISO27001 security management standard. The most significant international best practice standard currently available to any organisation seeking an intelligently organised and structured framework for tackling cyber risks, ISO27001 is, in essence, a management system. When effectively deployed, ISO27001 improves an organisation’s information security and resilience to ongoing and constantly evolving threats.

Above all, ISO27001 compliance supports organisations in building their defences against cyberattacks. Among other elements, this standard requires organisations to develop and test security incident response plans, or SIRPs; select and implement appropriate controls that reduce risk to an acceptable level, from securing cyber perimeters to training staff and securing inward- and outward-bound communication channels such as e-mails and instant messaging; and carry out risk assessments. Importantly, ISO27001 compliance also requires organisations to put in place a mechanism for auditing and management review of the effectiveness of selected controls – and of the management system that supports them.

Additional steps

In addition to establishing an organisation-wide security management standard, retail banks, as with other organisations, can go a long way towards significantly improving their data protection by introducing a number of basic measures. These measures include the implementation of regular staff awareness training about the threats and ramifications of a cyberattack, enterprise-wide policies on the use of encrypted USB sticks and laptops, and regular website and network penetration testing.

Otherwise known as ‘pen testing’, regular website and network penetration testing, for example, is vital to ensure hackers and cyber attackers are not given easy vulnerabilities to exploit. All internet-facing networks and resources are subject to automated, malicious probing.

When a vulnerability is detected, the exploitation of that vulnerability is also usually automatic. In a world where attacks on networks and applications are growing at an exponential rate, effective pen testing is the only way to establish true security. Quite rightly, the penalties incurred by organisations failing to defend themselves against such attacks are becoming ever steeper. Effective pen testing exposes and documents such weaknesses and recommends steps to reduce the risk.

Preparation is key

If knowledge is power, ignorance is danger – a danger that can impact banks on a number of fronts. If banks and financial institutions fail to refresh their data protection practices on a regular basis, educate their staff about the dangers of cyberattacks or enlighten their employees on the importance of data protection, they are at risk of being caught out by ever-more-sophisticated cyberattacks. Failure to prepare by adopting stringent security management standards is, ultimately, preparation to be vulnerable. .