As you read this article, most likely on a mobile device, you could unwittingly be opening the way for cyber invaders. Maybe it was an email sitting in your inbox that you clicked on, maybe a link to a new business article or journal. And suddenly the walls of your enterprise— the walls that you have spent billions of dollars to secure with software and services—have been beached in the blink of an eye.
It is unusual these days for a week or even a day to go by without publicity of a security breach at a large bank or retailer and it feels like this game has changed both in terms of the significance and the nature of that risk. The greater significance attached to data security can be seen in two ways. First of all, the publicity surrounding recent data breaches at large banks, retailers and credit companies has been richly deserved. There have been massive breaches and they have upended the assumptions made by customers when they transact in the most basic, everyday ways.
Second, in yesterday's world, the security of a bank's IT network was generally the domain of IT security chiefs, today, however, it is the CEO who owns it and is publicly responding to it. The issue of today is not just compliance with the regulatory control compliance framework but the loss of real assets, customers, data and revenue.
The elevation of data security’s importance has been brought about by the revolution in the ways we transact, conduct and manage business. Customers access their accounts online as a matter of course, often on-the-go via a bewildering array of devices. The same is true of employees. We already take this for granted but it is a massive change and it has taken place in the blink of an eye.
Large US enterprises on the other hand have typically designed their IT security strategies around the paradigm of employees accessing a single IT network from enterprise compliant computer devices. While the network was frequently breached by viruses, worms and the like, such breaches incurred limited damage and created minimal reputational damage. This was because online customer transactions and account data were far less ubiquitous and so harder for an intruder to locate and steal from. Companies nevertheless started to make bigger investments to shore up their networks. Robust firewalls were put up to stop intruders from entering the network and virus software was installed. These investments focused on a view of the enterprise as a single network with a centralized command and control center.
Today those seeking to infiltrate a company's information assets, customer accounts, sales information and so on have many potential points of entry from unsuspecting customers and employees that can easily bypass a central firewall. Focusing on the firewall is rather like focusing on a missile defensive shield when terrorists are leveraging civil airliners. The Goliaths of today need to get a slingshot.
The key to turning the tables in this battle revolves around two key components; data and education. First, companies need to go through a process of identifying their data and their customers' data which is critical to protect. Once that critical data is identified, analytics should be built around how, when and who accesses the data. For instance, when does a customer typically access his or her account, from what device, what type of transactions are executed, how much for and so on.
For an employee, the analysis is similar, which employees touch this customer's account information and to perform which function? Understanding these normative patterns helps identify unusual activity that could indicate a breach has occurred. Investment in tools, people and processes that can detect deviations from such patterns of behavior is critical if companies are to move from defense to offense on this issue. Second, education of clients and employers continues to be of major importance and is still far from effective. Companies need to invest much more heavily in both data analytics and education on this issue if they are going to stop playing Goliath to the hackers' Davids.
—Andrew Waxman is a consultant in IBM’s US financial risk services and compliance group. The views expressed here are his own. Andrew Waxman writes on operational risk in capital markets and financial servicesAndrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are those of his own. As an operational risk manager, Andrew has worked at some of the ... View Full Bio