Breaking News: “Bank accounts hacked! Identities stolen. Critical assets damaged.”
3 Cyber security tips for staying out of the headlines
By some estimates Banks and other Financial Services companies are 300 times more likely to be the target of cyber attacks and the situation is getting worse. No Financial services company wants to generate these kinds of headlines regarding their cyber security as evidenced in a recent survey of Chief Risk Officers in the Financial Services sector who ranked “Cyber Risk” as the top operational risk faced by the industry in 2016. This omnipresent threat has many of the world’s largest banks allocating massive budgets to combat the risks, and government regulators are scrambling to establish criterion for both measuring the potential risks and closing the vulnerability gaps to ensure that the worst case scenarios do not come to pass.
Recently, new recommendations have come down from the New York State Department of Financial Services on cyber security best practices, and the Bank of England is conducting its own security tests in operation “Resilient Shield”. Even the S&P has gotten in on the debate with hints about downgrading banks with weak cyber security practices.
A lot is at stake when security is breached and even systems not directly connected to the corporate network are vulnerable. Personnel can be put at risk, operational disruptions can occur and may result in financial loss, business reputation can be damaged and, of course, data can be lost.
Threats have evolved to include physical infrastructure and control systems
The threat list is broad, both internal and external, and the focus of attacks has evolved to include physical infrastructure and control systems such as building management or BMS, enterprise performance management systems or EPMS and others. The well publicized Stuxnet attack against Iran’s nuclear program was one of the first to target embedded controllers and signaled the beginning of a rush for attackers to identify vulnerabilities in similar devices. This is a particularly problematic development since most cyber security experts are versed in typical IT systems and protocols- only a specialized few are proficient with distributed control networks and industrial communication protocols.
Steps to manage customer and regulatory pressures for cyber security in finance
In an environment of less working capital and fewer resources, how can you deal with these customer and regulatory pressures?
- First, we recommend working with vendors who take cyber security seriously in the development of their own products using cyber secure development processes and validation. At Schneider Electric, we follow cyber security best practices in our product development along the development lifecycle. From cyber security training for our engineers to meeting security regulatory requirements, from securing design reviews to using secure coding practices and implementing secure release management and deployment, and ultimately to incident response should a security breach occur. Schneider treats cyber secure development and validation seriously. It’s in our, and more importantly, in our customers’ best interest.
- Next, look for vendor partners who have technology partnerships with the best cyber security experts in the market for secure firewalls, servers, workstations and cloud services. Schneider has a wide array of technology partnerships with world-class experts in these areas such as Cisco, IBM, Microsoft, Dell, GFI Languard, McAfee and Symantec. We make it our business to be on top of technology trends and work with best in class partners.
- Lastly, it’s important to think about your legacy control systems. Here we recommend working with a vendor that can provide consulting services regardless of the age, type or manufacturer and who can effectively address the full range of address cyber security assessments, workshops, remediation, and response to cyber security incidents. Schneider can do all of the above to support a comprehensive cyber secure control system program.
As a global supplier of digital and distributed control systems for both industrial and commercial applications, Schneider Electric works under the guiding principles that we stand by our safe, reliable and secure core control systems and intelligent devices. We build our products and systems with explicit attention to eliminating cyber security vulnerabilities to increase prevention, detection and improve response times. In addition, we have also developed a specialized competency in the protection and defense of control systems of any vendor origin and across diverse industries, from Energy and Industrials to Banking and Retail.
It’s our vision to “live in a world where all Schneider offerings are secure, customers are satisfied with our security and we can leverage our security as a competitive advantage…”
By following the steps above, you will be taking a comprehensive approach to cyber security for your physical infrastructure in your bank buildings and branches, and most importantly, you can reduce risk and improve the reliability of your physical systems. While no system is completely bulletproof, you might just get a restful night’s sleep for once!
For more information on Schneider Electric’s approach to Cyber Security, find our presentation in our download center, read about operational risk management, or visit our finance industry challenges page.