Banks have the highest level of security among critical U.S. industries, yet by some estimates, financial Services companies are hundreds of times more likely to be the target of cyber attacks, and the situation is getting worse. No financial services company wants to generate these kinds of headlines regarding their cybersecurity. In addition to that, a new US rule orders banks to promptly flag cybersecurity incidents.
This omnipresent threat has many of the world’s largest banks allocating massive budgets to combat the risks, and government regulators are scrambling to establish criterion for both measuring the potential risks and closing the vulnerability gaps to ensure that the worst case scenarios do not come to pass.
New recommendations keep coming down from the New York State Department of Financial Services on cybersecurity best practices. The banking industry said it had successfully completed a massive cross-industry cybersecurity drill that aims to ensure Wall Street knows how to respond in the event of a ransomware attack that threatens to disrupt a range of financial services.
A lot is at stake when security is breached and even systems not directly connected to the corporate network are vulnerable. Personnel can be put at risk, operational disruptions can occur and may result in financial loss, business reputation can be damaged and, of course, data can be lost.
Evolving threats include physical infrastructure and control systems
The threat list is broad, both internal and external, and the focus of attacks has evolved to include physical infrastructure and control systems such as building management or BMS, enterprise performance management systems or EPMS and others. The well-publicized Stuxnet attack against Iran’s nuclear program was one of the first to target embedded controllers and signaled the beginning of a rush for attackers to identify vulnerabilities in similar devices. This is a particularly problematic development since most cybersecurity experts are versed in typical IT systems and protocols but only a specialized few are proficient with distributed control networks and industrial communication protocols.
Steps to manage customer and regulatory pressures for cybersecurity in finance
In an environment of less working capital and fewer resources, how can you deal with these customer and regulatory pressures?
- First, we recommend working with vendors who take cybersecurity seriously in the development of their own products using cyber secure development processes and validation. At Schneider Electric, we follow cybersecurity best practices in our product development along the development lifecycle. From cybersecurity training for our engineers to meeting security regulatory requirements, from securing design reviews to using secure coding practices and implementing secure release management and deployment, and ultimately to incident response should a security breach occur. Schneider treats cybersecure development and validation seriously. It’s in our, and more importantly, in our customers’ best interest.
- Next, look for vendor partners who have technology partnerships with the best cybersecurity experts in the market for secure firewalls, servers, workstations and cloud services. Schneider has a wide array of technology partnerships with world-class experts in these areas such as Cisco, IBM, Microsoft, Dell, GFI LanGuard, McAfee and Symantec. We make it our business to be on top of technology trends and work with best in class partners.
- Lastly, it’s important to think about your legacy control systems. Here we recommend working with a vendor that can provide consulting services regardless of the age, type or manufacturer and who can effectively address the full range of address cybersecurity assessments, workshops, remediation, and response to cyber security incidents. Schneider Electric can do all of the above to support a comprehensive cybersecure control system program.
Eliminating cybersecurity vulnerabilities
As a global supplier of digital and distributed control systems for both industrial and commercial applications, Schneider Electric works under the guiding principles that we stand by our safe, reliable and secure core control systems and intelligent devices. We build our products and systems with explicit attention to eliminating cybersecurity vulnerabilities to increase prevention, detection and improve response times. In addition, we have also developed a specialized competency in the protection and defense of control systems of any vendor origin and across diverse industries, from Energy and Industrials to Banking and Retail.
Our vision is to “live in a world where all Schneider offerings are secure, customers are satisfied with our security and we can leverage our security as a competitive advantage…”
By following the steps above, you will be taking a comprehensive approach to cybersecurity for your physical infrastructure in your bank buildings and branches. And most importantly, you can reduce risk and improve the reliability of your physical systems. While no system is completely bulletproof, you might just get a restful night’s sleep for once!
For more information on Schneider Electric’s approach to cybersecurity for data centers, visit our data center cybersecurity solutions page.