It took the theft of US$81 million earlier this year from Bangladesh’s central bank before others across the world felt compelled to take action to tighten security.
Months of investigations have revealed weaknesses all across the banking industry, while revelations of insiders being directly involved in the heist have now led to the banks setting up a taskforce that will creat a set of standards to bolster the banking network against the threat of cyberattack.
While this sounds at face value like a good outcome, the question is whether standards are enough when other standards and legislation don't seem to be preventing successful attacks in other industries.
Over the past few decades we’ve seen a variety of standards emerge to help bolster cybersecurity defences and improve the governance of information security. Publications from international standards organisations, such as the ISO 27000 range of standards, NIST’s cyber security framework, and COBIT have all been written to promote best practice in security technology and service implementations as well as security governance.
If followed, each of these standards promises to help users lay down good practice across the whole gamut of information control categories, which will inevitably lead to a more secure enterprise.
Specific industry-specific standards and legislation have also crept out of the US, such as HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS.
PCI-DSS applies to any company managing or transacting with credit cardholder data, so you’d think that this one would be a good place to start – you might ask why it would not be extended to cover international banking.
If you look back over the past few years at some of the most successful cybersecurity attacks, you’ll see that standards and legislation actually don’t keep out the bad guys. US legislation places medical insurance companies under tough laws relating to the management of their clients’ private data, using HIPAA, yet Anthem still got hacked and lost a massive amount of sensitive customer data.
Anthem is the second largest health insurer in the US, and the theft of its entire customer database saw 78 million American citizens’ personal information fall into what is believed to be a foreign government’s hands.
This attack demonstrates that while standards and legislation certainly help to focus a business on which controls are needed to protect their information, unless the business intrinsically follows these standards at every layer of its operations, not just in a few key high-profile areas of focus, then the extreme complexity of a modern organisation will almost certainly ensure that the security they feel is nothing more than a platonic relationship with the standard.
I’m all in favour of standards when there is a way to implement them in a manner that ensures the onus is on the business to really, properly focus on keeping it secure.
As the committee of central banks begins to gather requirements from its members on how they expect to protect their systems against fraud, they need to be considering what and how they will make sure participating banks actually put in enough effort into their cybersecurity systems to make the investment worthwhile.
PCI-DSS has the most comprehensive set of security requirements published by a non-government organisation, given cardholder data has been the primary focus of cybercriminals for a very long time.
But even those companies who are bound by the requirements of PCI-DSS are urged by the PCI Security Standards Council to consider how they continually assure their information security.
The PCI Standard Council clearly states that "forensic investigators have discovered that security controls deployed by organisations that had passed an assessment were often out of compliance when breaches occurred at a later date. It’s only by achieving and maintaining compliance that your cyber defenses will be adequately primed against attacks aimed at stealing cardholder data".
Businesses need to stop kidding themselves that compliance and standards are the answer to the cybersecurity problem. Start by focusing on what’s important: looking into the depths of your technical systems for the vulnerabilities that, if discovered by an attacker, will be the chink in your armour.
No standard will tell the banks how to attain this level of visibility in their security. Don't hide behind the façade of standards and legislation and tackle the problem head on.