Whether your source of news is the FT, the BBC or the Daily Mail, headlines of data related business outages, and associated credibility damage are on the rise. From data outages to increasingly audacious ransomware attacks on all levels of public and private organisations- data management has become a mainstream topic and highly visible.
Today, data security, accessibility and management are the most significant aspects of reputational risk to any financial institution. For commercial and private banks, pension funds, insurance companies or any business with responsibility for secure stewardship of personal, identifiable data, and people’s savings and pensions, it is even more critical.
Consideration of reputational risk is however, only one factor in the wider business imperative to ensure ‘operational resilience’.
Operational resilience refers to the ability of businesses to prevent and recover from disruptions to their critical business operations. Strong operational and cyber resilience is essential for the stability and reliability of any business, as it ensures that organisations can continue providing essential services to their clients, even in the face of major disruptions.
With increasingly prevalent combinations of on-premise and multi-cloud hybrid business critical operational data environments, comes increased risk of disruption. Only a relatively small portion of workloads running critical workloads in public cloud today are designed this way. Many are simply legacy applications that have been “lifted and shifted” to the cloud meaning very few applications have built-in tolerance for a major outage, such as the loss of a complete availability zone.
This topic is now the top priority for all our customers during my conversations with them. To achieve operational resiliency, IT teams at financial institutions must ask themselves two questions: First, how do we protect our data? And second, how do we detect preventable elements, like ransomware attacks, more effectively?
While human error will always be a risk factor, all financial institutions must also face the simple truth: a ransomware attack will happen. As cloud adoption continues to accelerate, the risk of this increases, and the modern IT organisation needs an elastic, scalable, multi-cloud optimised platform to automatically manage and protect its data efficiently and transparently.
Early detection of ransomware will further secure an organisation, but only when combined with a comprehensive response plan that is regularly tested, rehearsed, and continually communicated to all stakeholders to ensure successful business resiliency.
In terms of the potential stress testing of financial institutions, far too many of them have a combination of tools, solutions, and plans in place which don’t get tested. These then fail at the point a breach. The key strategy is to invest in being able to test the plan on an ongoing basis. This isn’t a case of a ‘one-off’ – it should be a living process, capable of adapting to react to the rapidly shifting shape of the new cyber threats.
To ensure successful operational resilience in the face of ransomware attacks, IT teams at financial institutions should:
1. Implement robust risk-management processes to identify and assess potential ransomware attacks and develop strategies to prevent or mitigate them.
2. Develop and regularly test contingency plans to ensure their business can continue providing essential services should an attack take place.
3. Invest in redundant and resilient IT systems to reduce the likelihood of disruptions following an attack and improve the business’s ability to recover from it.
4. Regularly train and re-train staff and all service-providing third parties on operational-resilience procedures in the face of an attack. Too often, key outsourcing partners do not receive updates in critical communication procedures, in this regard.
5. Regularly rehearse the plan with drills and exercises to test IT cyber resilience processes and identify areas for improvement. These must be done with employees and service providers. Ensuring everyone knows the plan and their roles and responsibilities during an attack is the most regularly overlooked factor in operational resiliency creation.
6. Work closely with regulators and industry organisations to stay up to date on best practices and emerging threats.
Within organisations impacted by a ransomware attack, often there is a rush to attribute blame. Who’s responsible for this breach? Often blame is apportioned to the CIO or the CTO, and even CEOs are potentially accountable. Too often the root cause of operational resiliency breakdown is actually a failure of communication. Either internally between business units or functional group, or more often where planned processes have not been sufficiently tested or updated with key IT outsourcers or service providers.
With increasing reliance on public cloud services for business-critical operations, executives also need to be clear on which security capabilities are provided as part of their Cloud Service Agreements and which remain their own responsibility.
In reality, all parties are somewhat to blame. So, in the face of cyber breach whether malicious or accidental, organisations need to act together as a team. Only by coming together, and everyone implementing a well-rehearsed recovery plan, can operational resiliency truly be maintained, business risk minimised, customer data and their precious savings or pensions be protected.
As we look towards 2024, the financial landscape will be transformed as new technologies will come more into play. Artificial Intelligence is a game changer as it can already help the process via anomaly detection and malware screening. AI can also take on some financial operations and make them autonomous, in some cases relieving skills gaps within over stretched IT departments. But AI isn’t the silver bullet: as financial institutions use it more, so do the criminals. This creates a never-ending battle and will be an ongoing challenge for finance professionals and IT teams in the coming years.