The process of safety and risk management in the banking sector
Knowledge 3 February 2017 Krzysztof Sadecki
INTRODUCTION
In accordance with Recommendation D banks should efficiently manage risks and reduce them. But in the case of banks, the most common risk reduction and prevention is, the so-called. putting out fires, if they explode. In contrast, successful defense also requires detecting and responding. These three factors, namely prevention, detection and response are key elements of the process that defines the approach to IT security and allows you to effectively reduce the operational risks associated with safety. And it is reducing the risk in organizations which is the subject of this article.
Each one of us can recognize that locks are sufficient protection and that prevention alone is enough and that there is no need to spend money on anything else. However, reality is completely different and most companies and most of us have alarms installed at home.
Risks and Remedies
Suppose you’ve managed to verify risk, each organization should take measures that will be carried out. Basically, we can do four things with every risk::
a) reduce – or simply take some countermeasure
b) accept – not to take countermeasures and accept the potential loss
c) transfer – e.g. all the risks transferred to an insurance company
d) avoid – take an activity that will lead to halting the risk
This article relates directly to risk reduction, and it is assumed that the measures will be implemented. As mentioned at the beginning of the article, reducing the risk is very often associated only with taking preventive measures. Of course taking preventive action would work perfectly if they were all perfect remedies, but the reality is completely different. Usually we have to assume the worst case scenario, to which banks approach very childishly and usually if someone else has to get into the internal network, they can really do a lot. We must assume that the attacker will be able to bypass measures, and we must find a way to detect the attacker if that happens. Here it reaches a complete rethink defense strategy.
Protection systems is really a way of thinking
To effectively prevent the intrusion and minimize the risk, we must essentially change our way of thinking. You have to remember one crucial thing that complexity is the greatest enemy of security. See for yourself that today’s security systems are very complex, and even then it is reasonable to assume that someone manages to work around them. Therefore, people who are professionally engaged in security must implement some countermeasures in the event that an attacker is able to avoid preventive measures. It is only in this way that protection really works.
See for yourself how it looks from the outside. Well, when only prevention is carried out, the attacker has only one obstacle to overcome. However, in the moment when both detection and prevention s carried out , the attacker must really get around as much as two obstacles, and it is definitely harder for him. From the point of view of people working in security, the probability of catching the attacker suddenly dramatically increases . This is obviously one of the ways by which you can reduce operational risk.
Do not forget about detection
It is absolutely true to say that detection is usually ignored by banks. Only now are most banks implementing intrusion detection systems and just learning them. However, this does not mean that detection is useless to the end. Intrusion detection can be extremely useful all the time, and definitely should be used to determine whether there is indeed something wrong. The statement “try to detect” here is completely true. Think about installing a good IDS / IPS system. This system detects most known attacks, but no IDS / IPS can use the so called heuristic concept. Therefore, there is no guarantee that it will detect all attacks. So even though intrusion detection is not perfect, the very execution of intrusion detection is carried out, which dramatically reduces the risk. Thus, the implementation of intrusion detection systems has huge meaning.
Analogies to computer security that can be found in the real world
We have analyzed some examples that occur every day in real life in order to understand why prevention and detection is a better approach than just detection. Think abort how an alarm works in your home or company. Each one of us can recognize that locks are sufficient protection and that prevention alone is enough and that there is no need to spend money on anything else. However, reality is completely different and most companies and most of us have alarms installed at home. Now think about why we spend money on alarms. Well, each of us knows that an intruder can break into a building, so we instal alarms which are designed to detect the presence of an intruder. Therefore, it is assumed that preventitive measures can be omitted. So, as you can see, both measures of prevention also apply in the real world. Or a simpler example. Why do we use alarms in cars? Because we want to know when someone breaks into our car.
Do not forget to react
The most important element for you is really to realize that the same detection system is useless if no one responds to the incident. Think about the house alarm which we mentioned in the previous section. The mere fact that the alarm is installed will not help if we do not react to its sound. Of course, we can also react and stop the thief. And we usually do it quickly, and so our response must be rapid.
Actually, all this is process guidance
In this article, the outline of the who process has been presented, and it is important to remember that prevention must continue to be applied to detection and response. We must remember that prevention, detection and response should be used together, and that must be applied consistently. The process cannot be turned off when the employees go home. Security is a process that must be maintained continuity and there is no alternative if we want to have effective protection. We need to be always able to respond to security incidents, even if the phone wakes us up in the middle of the night. Believe me, that in the case of banks, other high-risk security incidents might not happen at night and wait until eight or nine in the morning, when we graciously come to work. If we do not react immediately, it may be that the attacker will have enough time to steal information that should never see the light of day. Detection, prevention and response forms a complete process that allows for the implementation of effective protection in any company.
Article Summary
This article describes the risks and the fact that reducing security risks should not be associated only with prevention. Modern prevention systems are extremely complex, and this complexity is the biggest enemy of security. Therefore, you can safely assume that the prevention systems can be bypassed. It should therefore also be implemented to detect attackers who can bypass prevention systems. Of course we must remember that prevention and detection will never be perfect, but we can effectively reduce the risk of using both systems at the same time, because then we place just two obstacles in front of the attacker, not just individual components. Please note that all prevention is useless if we are not able to adequately respond to a security incident. It is not until all three elements i.e. prevention, detection and response, allow you to develop an effective approach to the security process, which is implemented in the organization.
Przeczytaj ten artykuł w wersji polskiej: http://www.businessmantoday.org/proces-bezpieczenstwa/