A fresh outlook on the state of cybersecurity, a reality check….
There is talk of the end of the information age, primarily in developed countries where virtual reality solutions are becoming an ordinary thing. Closer to home, we are grappling with challenges of the information age—one of which is cyber-security.
It is common knowledge that the state of information security within many companies is wanting, even as they face a widening technology gap. They tend to lack adequate security awareness especially at board-level, budget constraints and skills. Amongst the various industries, financial services and banking are the most affected perhaps due to the ensuing risks and the regulation that comes with it. The interest rate capping that was enforced by the Central Bank of Kenya, changing customer needs and the FinTech revolution have been major factors in disrupting business as usual and/or narrowing the earning of companies that are slow to transform. In retrospect, there is a trickle down strain on operations and projects. On the operations front, there has been a need to maintain the status quo on compliance and risk management while achieving value adding projects at a lower cost.
To improve operational agility, many financial services institutions are going through a phase of outsourcing some of their functions or creating subsidiaries or business units that can keep up with developments in technology; cutting a niche through FinTech and an expedited go to market strategy. Financial institutions face significant cyber risk especially if security due diligence, a robust secure system development life-cycle process and the requisite quality assurance controls are not in place.
Examining the world of cyber-security, there is a lot that happens below the radar of the ordinary internet, which most people know and use on a daily basis. The world of the so-called dark web is thriving as much as the ordinary internet—or even more so, with regard to information sharing and commerce. What is being sold, you might ask? Well, the era best describes what is at stake: disclosures upon disclosures readily available for the highest bidder. This quickly works against companies that put information security as a second thought.
The growth in the dark web is associated with the uptake and growth of Bitcoin, currently valued at one to almost US$ 1000. According to the US’s Federal Bureau of Investigations, the Silk Road (an e-commerce site on the dark web) made a total of US$ 1.2 billion between 2011 and 2013. Other sources indicate US$ 650,000 daily sales volume was reached by six dark markets in 2014.
These statistics are alarming and there is a tendency to feel overwhelmed by the magnitude of risks within the existing IT ecosystem. What most companies have not yet fully embraced is the need to conduct enterprise security assessments. In my view, this is unfortunate because it sets the stage for strategic thinking based on real threats to the organization if conducted by competent consultants. I have seen organizations leap-frog from a state of adhoc response to information security and minimal awareness to a focused view of cyber-risks. That focused view helps to put them at an advantaged position in addressing the realities of the dark web.
On the flip-side, the element of vendor-risk on the part of product roll-out is increasingly apparent and several companies have started incorporating independent security assessments prior to product go-live. This has made it possible to reduce the turn-around time for security resolution on systems or applications but also provided for better return on investment. The process and monetary requirement for fixing in-security by design issues comes at a premium price which is a significant percentage of the amount already invested—and a cost that can be avoided through independent security assessments.
There are sceptics who argue that a determined hacker will always get through the strongest of defenses and hence investment in cybersecurity is an effort in futility. From experience, I maintain that strategic investments have been proven to block known attacks and detect the ones that get through. These cyber defence efforts require a shift in focus from compliance to security–meaning that all stakeholders must make a conscious decision to embrace a culture and environment where people understand how to behave securely and do the right thing.
Security investments are expensive, requiring an essential understanding of the technologies and perhaps specialized skillsets to refine the rulesets that make possible the prevention, detection and alerting of breaches. Ethical hacking and the penetration of organizations from outside (from the internet) or inside their perimeter networks can reveal weaknesses. More often than not, an organisation has no idea that unauthorized person(s) are using their systems or exfiltrating information primarily through identity theft. From experience, the root causes of these security lapses have remediations and the first step towards addressing the issues is knowing they exist.
Technology solutions for financial services institutions can provide benefits like an improved customer experience, better data for decision making and security. Considering the many pressures on financial institutions’ resources, it is important to maximize the resources available at present, such as by scaling up to match the organization’s growth trajectory and meeting future security requirements. Most importantly, organizations can make use of skilled, ethical and passionate cybersecurity personnel to keep ahead of cybercriminals. That level of skill and experience will give financial institutions the upper hand in creating value within and without the organization.