On average, banks spend three times as much on security as non-financial enterprises of similar size. Understandable, and what we’d hope for. But, is banks’ security spend well-spent? Are the protections, defenses and training they put into place sufficient and do they target the correct and most critical systems?
For the past couple of years, security experts have been responding with a warning-bell “no” to these questions. The reason for the heightened concern is rising cybercrime and the sophistication of hackers on the one hand, and on the other, the insufficient preparedness of banks and other financial institutions to deal with the shift in reality– being hacked is just a matter of time.
Generally speaking, banks and other financial institutions have been doing a good job of securing the “outer circle” of internet – or customer-facing systems (web applications, desktops, email, etc.), but leaving the core data systems of the banking industry – on-premises storage arrays, cloud storage, file servers – where the critical data lives – more exposed. Experts point out that with optimal architecture supported by a proven resilience solution, banks can successfully recover from events such as natural disasters, blackouts and human error, but “have a long way to go in being able to survive and quickly recover from a cyberattack.” They fear that in the not too distant future, even ransomware may become passé and malicious actors may attempt to and succeed in deleting an institution’s data and corrupting, erasing copies or even destroying said data. Without critical data it would be extremely difficult for a bank to restore, reconstruct and recover its business and transactions.
If breaches of such catastrophic severity are being discussed as realistic possibilities, we can only assume that a cybercriminal has already breached or will breach the outer circle, and may have access to the core data systems. An attack on core systems can lead to multi-system failure and ultimately, disastrous results.
IT environment architected for resilience and recoverability from a cyber-attack is key to information security.
One immediate implication of this level of threat is that security must look beyond its own field of protection and defense and cyber resilience; this means data security, data protection and data recoverability, starting with the core data systems where a breach would mean an existential risk.
Vital to the life of national economies, the core data systems of banks and other financial institutions are attractive targets to cybercriminals who engage in ongoing attempts to thwart cybersecurity safeguards. To prevail over the nefarious aims of malicious actors, a more holistic approach to protecting financial assets is what’s needed, one that addresses the worst-case “what-if” scenario of a breach.
This would have to be a comprehensive approach that combines standard business continuity practices with cyber-attack scenarios. For example, other than identifying critical data assets and meeting RTO / RPO goals, organizations must take additional measures to ensure that recovery data copies are isolated in such way that attackers would not be able to destroy both data and its backup. Moreover, retention policies and immutable snapshots must be in place to guarantee the ability to return to a safe past point in time in case data has been compromised. Lastly, a process for ongoing assessment and validation of cyber-recoverability after every single change throughout the IT infrastructure must be established.
Learn more about our Cyber Resilience Assurance solution