The cyber incident of the Coop Bank heist of over Rs. 94 Cr compromised to cyber-criminals is a “wake-up” call not only for the entire Banking Sector but every technology services company and OEMs, resulting organizations are taking necessary action to protect their Information Technology Infrastructure, with an intention to reduce the Information Security risk and at the same time working on how to mitigate reputation risk at their respective organization.
Unfortunately, have Banks really improved after the recent cyber incident or they are still in the vicious cycle of reactive approach where they react initially in the first few days with some sudden measures in their own IT infrastructure while the cyber incident is active in the news and then a new notification would be issued by the regulator, that may just be treated as “yet another compliance requirement” and Bank will prefer to postpone their improvement action until the next cyber incident, hence entering the vicious reactive approach in dealing with cyber incidents.
Ignorance and/or lack of awareness of handling and learning from such incidents are the prudent reasons, one can conclude after the cyber incident irrespective of its nature, type and method of execution by the un-authorised individuals / entities. Bank may suddenly implement costly technical solutions without really understanding the root-cause of the cyber incident that took place in the impacted Bank.
Let’s think on the aspects below while studying / dealing with the cyber security incident recently occurred with a Coop Bank. Are we in a position to answer the following questions as a reality check
- How many of us are investing on on-boarding of the Information Security Experts / CISO’s / Opt their services for continual guidance and improvement in the Information Technology Infrastructure.
- Are we really treating annual information systems audit, as an opportunity to improve our internal systems.
- Do we have practice documented and approved to deal in case the incident happened with us?
- Are we only focussing on the investments behind introducing the products and services and not on protecting those products and services from attacks?
- Are our Core Applications / Service Applications, Infrastructure hosted / in-house complied with Information Security Standard Practices?
- How many Banks especially Coop Banks invest on Cyber Security Awareness among their own employees
- How many of us have appropriate contacts with cyber experts in law enforcement to seek their help?
- There are positive signs visible those are initiated by the regulators by implementing the Common Infrastructure for Sandboxing for UAT of the technology services, are we following the same / requesting to the entities for subscription of the same?
- Are you completely dependent on the systems audit done annually which is more from compliance perspective?
- How many organizations promote / encourage their employee working under information technology department to go and complete the information security certifications / attend various awareness events in practice across India. The answer is unfortunately negligible.
(Read More: Top security frameworks for Banks around the Globe )
Beyond the Litmus Test:
The organizations are still in the old thought process that nothing can happen to them and they are not visible to hackers. Intruders are always taking an advantage of this ignorance. Following are the important areas of improvement one can learn and improve from cyber-incidents of this nature as below:
- Fix your security basics – Regulators have already provided detailed guidelines on desired and expected security practices. It is important that they are understood and properly applied depending on the IT infrastructure and the Banking products and services. There are many other standards, guidelines and whitepapers one can refer to gather more insights.
- Gap Assessment to deal with cyber incident – It is a good question for Banks to ask themselves on - what is their current capability in terms of knowledge, resources and skills to handle such cyber incidents and whether they have the capability to handle such incidents, if and when they occur of any nature.
- Re-investigate the IT architecture – IT Infrastructure may have grown rapidly over the years due to increasing demand to roll-out the business services with tight deadlines and there was inadequate focus to this area regarding design for protection of various financial systems (CBS, Payment systems, Third party applications, in-house applications, networks, connectivity, Apps, cloud, process design, system design, fault tolerance, preventive, detective and corrective controls etc) in the Bank’s IT environment.
- Technical Review after any major IT infrastructure change – It is good to ask ourselves, if we conduct independent technical review after every major IT infrastructure change and not only those system audits that are annual mandates from regulators. Combing every activity into a single annual systems audit can be a risk as it can be too late to detect the issues pro-actively. Also systems audit brings the compliance flavour and sometimes the real issue may get over-shadowed due to fear of compliance. Conduct independent assessment of high risk areas irrespective of systems audit for timely identification of issues.
- Security audit during UAT of critical application: There are positive measures initiated by the regulators by implementing the Common Infrastructure for Sandboxing for UAT of the technology services. We need to take proper security measures when conducting UAT, as part of the network and systems are accessible by the concerned supplier, during this time period.
- Security of critical suppliers systems and processes: Banking product and services provided by the supplier should provide a level of confidence that it will not mis-behave in the Bank’s production environment. Unless suppliers themselves consider proper security measures like ISO27000 series, CMMI, OWASP etc, the end product can have potential security issues.
- Cyber Security awareness of IT and Management: Technological advancements are happening at a rapid pace and also hackers are fast to take advantage of security loopholes. It is important that decision makers in Bank spend time to understand the subject along with the IT Team and motivate the IT Team towards improved security.
- Empower IT Team to fearlessly discuss IT issues with Top Management: As IT has become an integral part of enabling the rapid deployment of products and services, Top Management need to understand that these advancements come with technical risks that happen at a fast pace. Top Management has to empower IT to fearlessly discuss IT issues otherwise there would not be timely remediation to the issues and can escalate into a disaster. Top Management should empower IT and Information Security to establish a process to report such incidents as soon as it is detected.
- Involvement/recruitment of CISO/Security experts during critical IT projects:
Security should not be treated as an after thought or only after the cyber incident. It is high time Banks should have CISO as part of their organization who provide security expertise during critical IT projects. For smaller organizations, recruitment of security consultants with good security and cyber implementation skills can be considered as an alternative option. Treat security as part of the business costs. There are experienced cyber security consultants and auditors available whom one can deliberate with and work out suitable solutions to the challenges.
- Take the audit observations as an improvement and not merely as compliance: Bank has to make a slight change in mind-set treating systems audit as only satisfying regulation compliance. Rather Bank should treat this as an opportunity to improve their systems and processes. Such systems audit should be conducted by experienced auditors with strong Technical skills and adequate knowledge of the Banking products and services.Cyber incidents are a wake-up call to all to take the subject of information security seriously if we are to conduct business in this digital world. Rather than just taking some stop-gap reactive measures, Bank and any organization, should envisage a systematic way of understanding this subject and take proper measures. Cyber incidents should be treated as an opportunity to learn and improve your internal systems and processes.
Cyber incidents are a wake-up call to all to take the subject of information security seriously if we are to conduct business in this digital world. Rather than just taking some stop-gap reactive measures, Bank and any organization, should envisage a systematic way of understanding this subject and take proper measures. Cyber incidents should be treated as an opportunity to learn and improve your internal systems and processes.
- Reserve Bank of India (RBI) - “Cyber Security Framework in Banks”
- Reserve Bank of India (RBI) Report of the Working Group on FinTech and Digital Banking
(Read More: Cyber Incident Response - The 5 Important Steps )
Sanjiv Agarwala “Quick Fixes for Improving Cyberdefenses” - here
The post is conceptualized by :
MILIND RAJHANS, M.SC.Computer Science, ITIL, Lean Six Sigma Green Belt, DBM-IT, CISO
A Banking-technocrat with 22+ years of experience in administering, defining, developing and execution of IT Road Map & Information Security for Banking Institutions and presently working with M/s Infrasoft Technologies Ltd. positioned at Pune.
SANJIV AGARWALA, CISA, CISM, CISSP, MBCI, ISO27001LA
A techno-business risk and resiliency professional, with 20+ years into Cyber security and other risk management related audit and advisory services, across many domains and presently working with M/s Oxygen Consulting Services Pvt Ltd.,Pune.
Want to share your learning with the community ? Click here to write a blog (Membership is free and mandatory for writing blogs)