Due to the far reaching effects of this year’s global cyberattacks, the average cost of cybercrime for companies is now $11.7million a year. And, according to the Ponemon Institute, the cost per capita of a data breach hits the financial industry the second hardest after healthcare.
Financial companies are a special target of cybercriminals and customers are also heavily affected by attacks – there were 2,356,000 cases of bank account fraud reported last year. As most of us utilise online financial services, the opportunity for cybercriminals to act is vast. Financial organisations need to do everything they can to fortify their internal and external systems.
Financial advisors Duff and Phelps reported that the vast majority of financial companies do plan to focus more resources and time on cybersecurity in the next few years, but what measures can organisations actually take to protect their organisations and their customers?
Layered approach to security
There is no one silver bullet which can protect organisations against cybercrime because cybercriminals are constantly evolving their weapons to exploit systems in new and innovative ways. Organisations need to deploy layered cyber security defences in order to have the best chance of preventing cyber attacks from infiltrating their organisations – this includes having the right defensive and preventative technology in place, as well as educating employees so as to reduce the impact of attacks which target users. Getting ‘the basics’ right first is also key – having state-of-the-art tech in place is fine, but if your fundamentals aren’t there, then it will falter when attacked.
One of the most important cyber security fundamentals is patching. Just like fixing a piece of clothing, a patch is a kind of software which fixes or improves computer programs by updating them and their supporting data. If programs are unpatched, then the holes can act as vulnerabilities that cybercriminals can exploit to get into an organisation’s network and infrastructure and wreak chaos from within.
The problem with patching is that it takes a very long time to do manually, and vulnerabilities are often missed due to human error, leaving the organisation open to risk. As well as this, some organisations may do a great job patching physical devices and servers but forget all about programs and data hosted on virtual servers and the cloud.
This is why automated patching, which spans the physical and virtual, can do wonders for the security of an organisation. Automated patching solutions scan systems for missing patches, deploy patches without the need for human interference, and then provide cybersecurity teams with real-time reporting. This final feature is invaluable for organisations that need to adhere to regulations that require them to provide full visibility of their systems, such as the upcoming EU GDPR (General Data Protection Regulation) and NIS Directive.
Patching needs to be a fundamental part of any cyber security strategy, but this doesn’t mean cyber security staff should spend all their time trawling through these updates. If the mundane task of patching is automated, the organisation can keep itself protected against the exploitation of vulnerabilities whilst allowing staff to utilise their time better working on more strategic business issues.
Case for Automated Patching
The International Currency Exchange (ICE) is a leader in foreign exchange and transactions, and is one of the largest retail currency exchange operators in the world. It is based in London, but has 400 offices worldwide.
Regulatory compliance and security are absolutely critical for ICE. In the past, it relied on Microsoft Windows Server Update Services (WSUS) for automatic patching of updates, hotfixes (a quick-fix engineering update that addresses a problem in a software product, typically addressing a specific customer situation), and service packs (a collection of software updates, fixes or enhancements).
But, five years ago, like many other leading financial exchange providers, ICE began working towards the Payment Card Industry Data Security Standard (PCI-DSS) accreditation. Adherence would help it secure the processing of card payments and reduce instances of card fraud in currency transactions, while still protecting cardholder data. This was especially relevant for ICE, who were the first foreign exchange operator to offer a pre-paid currency card.
To achieve accreditation, however, it needed to prove adherence to secure systems through vulnerability management processes. And that meant it needed a more granular and automated method for updating operating system software and third-party applications, together with higher-grade reporting on patch deployment. As well as this, as the IT team were small in comparison to the size of their responsibilities, they needed to save as much time as possible on patch management in order to focus on improving other IT and security areas of the business.
ICE required a solution that provided them with an easy deployment, detailed reporting and, of course, automation. Phased rollout began in the UK, with full global rollout across all systems scheduled further down the line. The solution is scheduled to run each weekend to streamline and automate the patching process. Policies are set to discover and identify that week’s missing patches and deploy them automatically across servers and workstations, quickly and seamlessly. On Monday morning, IT checks the weekend reports, cross-checks some of the servers within the policy, and logs accordingly.
ICE have reduced the time taken to fully patch systems by around 90%. They’ve created baselines bespoke to their needs which run in the background — these tested baselines provide reassurance that a rogue patch can’t inadvertently break the system, and they retain the power to detect and plug vulnerabilities.
To help ensure safe financial transactions, ICE need to be running the latest updates, and automated patch management is the ultimate insurance, and a crucial part of a layered defence against security.
Simon Townsend is CTO – EMEA at Ivanti