High Level of Cyber Security and Cashless Go Hand in Hand
With the future looking more cashless by the day, the future of cybersecurity looks even more risk heavy. Below Nick Hammond, Lead Advisor for Financial Services at World Wide Technology, discusses with Finance Monthly how banks/financial services firms can ensure a high level of cyber security as we move towards a cashless society.
Debit card payments have overtaken cash use for the first time in the UK. A total of 13.2 billion debit card payments were made in the last year and an estimated 3.4 million people hardly use cash at all, according to banking trade body UK Finance.[1] But with more people in the UK shunning cash in favour of new payments technology, including wearable devices and payment apps as well as debit and credit cards, the effects of IT outages could be more crippling than ever.
Take Visa’s recent crash, for example, which left people unable to buy things or complete transactions. Ultimately, payment providers were unable to receive or send money, causing serious disruption for users. And all because of one hardware issue. Finding new ways to mitigate the risk of system outages is a growing area of focus for financial services firms.
Application Assurance
At a typical bank, there will be around 3,500 software applications which help the bank to deliver all of its services. Of these, about 50-60 are absolutely mission critical. If any of these critical applications goes down, it could result in serious financial, commercial and often regulatory impact.
If the payments processing system goes down, for instance, even for as little as two hours in a whole year, there will be serious impact on the organisation and its customers. The more payments systems change to adapt to new payments technology, the more firms focus their efforts on ensuring that their applications are healthy and functioning properly. As Visa’s recent hardware problems show, much of this work to assure critical applications must lead firms back to the infrastructure that their software runs on.
Having a high level of assurance requires financial services firms to ensure that applications, such as credit card payment systems, are in good health and platformed on modern, standardised infrastructure. Things become tricky when shiny new applications are still tied into creaking legacy systems. For example, if a firm has an application which is running on Windows 2000, or is taking data from an old database elsewhere within the system, it can be difficult for banks to map how they interweave. Consequently, it then becomes difficult to confidently and accurately map all of the system interdependencies which must be understood before attempting to move or upgrade applications.
Protecting the Crown Jewels
Changes to the way financial services firms use technology means that information cannot simply be kept on a closed system and protected from external threats by a firewall. Following the enforcement of Open Banking in January 2018, financial services firms are now required to facilitate third party access to their customers’ accounts via an open Application Programming Interface (API). The software intermediary provides a standardised platform and acts as a gateway to the data, making it essential that banks, financial institutions, and fintechs have the appropriate technology in place.
In addition, data gets stored on employee and customer devices due to the rise of online banking and bring-your- own- device schemes. The proliferation of online and mobile banking, cloud computing, third-party data storage and apps is a double edged sword: while enabling innovative advances, they have also blurred the perimeter around which firms used to be able to build a firewall. is no longer possible to draw a perimeter around the whole system, so firms are now taking the approach of protecting each application individually, ensuring that they are only allowed to share data with other applications that need it.
Financial services firms are increasingly moving away from a product-centric approach to cyber-security. In order to protect their crown jewels, they are focusing on compartmentalising and individually securing their critical applications, such as credit card payment systems, in order to prevent a domino effect if one area comes under attack. But due to archaic legacy infrastructure, it can be difficult for financial institutions to gauge how applications are built into the network and communicating with each other in real-time.
To make matters more difficult, documentation about how pieces of the architecture have been built over the years often no longer exists within the organisation. What began as relatively simple structures twenty years ago have been patched and re-patched in various ways and stitched together. The teams who setup the original systems have often moved on from the firm, and their knowledge of the original body has gone with them.
The Next Steps
So how can this problem be overcome? Understanding how applications are built into the system and how they speak to one another is a crucial first step when it comes to writing security policies for individual applications. Companies are trying to gain a clear insight into infrastructure, and to create a real-time picture of the entire network.
As our society moves further away from cash payments and more towards payments technology , banks need the confidence to know that their payments systems are running, available and secure at all times. In order to ensure this, companies can install applications on a production network before installation on the real system. This involves creating a test environment that emulates the “real” network as closely as possible. Financial players can create a software testing environment that is cost-effective and scalable by using virtualisation software to install multiple instances of the same or different operating systems on the same physical machine.
As their network grows, additional physical machines can be added to grow the test environment. This will continue to simulate the production network and allow for the avoidance of costly mistakes in deploying new operating systems and applications, or making big configuration changes to the software or network infrastructure.
Due to the growth in payments data, application owners and compliance officers need to be open to talking about infrastructure, and get a clear sense of whether their critical applications are healthy, so that they can assure them and wrap security policies around them. An in-depth understanding of the existing systems will enable financial services firms to then upgrade current processes, complete documentation and implement standards to mitigate risk.
[1] http://uk.businessinsider.com/card-payments-overtake-cash-in-uk-first-time-2018-6