Managing cyber threats in a connected world
Industry experts highlight education as the key to a successful defence
Today’s businesses are truly interconnected, with multiple systems communicating with each other. However these critical connections provide many potential areas for cyber criminals to access networks.
Adopting isolation techniques and turning off outside connections may help protect against cyber attacks, but without these connections a business simply won’t survive.
All infrastructures face this challenge and are looking to reinforce cybersecurity. At a cyber session at the recent SWIFT Business Forum in London, 53% of the audience agreed there is a need to reassess internal controls, processes and current thinking on the subject.
Earlier in the day, the opening plenary panel had pointed to the importance of cyber controls and payment controls coming together.
Panellists discussed a ‘supply chain of criminality’, where some are creating increasingly sophisticated malware to sell to others. They saw the necessary response as a hybrid of controls that looks at the end-to-end picture and informs risk-based decisions.
An encouraging sign, they said, is that cyber teams now have an increased understanding of the payments space as a result of increased collaboration. But there is more to be done. Collaboration and information sharing are just the start of the journey, not the end.
The importance of security hygiene
Last year’s Sibos Big Issue Debate on cybersecurity highlighted that about 85% of cyber breaches can be prevented through basic hygiene practices like data encryption, using modern security software, staff training and multi-factor authentication access to sensitive data and servers.
If an organisation is breached, having robust response and recovery plans in place and exercised can help minimise the impacts. Cybersecurity is a board level and senior management issue, and organisations need to have a culture of best practices when it comes to addressing cyber issues.
Speakers at the Business Forum advocated three levels of intelligence – network defenders (who know what to watch out for), an operations level, and a strategic level. Boards need to ensure that cyber resilience plans are part of an organisation’s DNA.
Protection, but at what cost?
Implementing and maintaining a comprehensive cyber defence strategy goes far beyond purchasing a few firewalls. Businesses need to accept this, and there is a growing appetite to absorb these costs. Getting better at quantifying risks and introducing new business models can help to offset these outlays.
For smaller organisations, it may be unrealistic to adequately protect everything given cost constraints – so panellists advocated a strategy of identifying and defending core operation processes. Don’t become spread too thin. As Frederick the Great said, ‘he who defends everything defends nothing.’
Organisations should also collaborate with, and learn from, other stakeholders. There needs to be a strong alliance between banks, their technology partners and governments with an agreement on what information to exchange under what circumstances.
These issues will be further explored in the Technology stream at Sibos 2017.