Information security is incredibly important today and it is vital that sensitive information be protected from both internal and external threats. And while threats grow daily, more and more industries are now subject to security awareness and compliance challenges. But is it possible to secure 100% of your data 100% of the time?
We spoke to Stephen Frede, Head of Information Security, Technical & Operations at TAS to get his take on information security and what organisations in the financial services sector are doing to mitigate risk and safeguard sensitive customer data.
Could you begin by telling us what information security is?
Information security (InfoSec) is a very broad topic – people also refer to it as cyber security. Simply, InfoSec is the protection of information – especially digital information. Generally, as stored in computer systems or on computer networks; and primarily addresses intentional malicious attacks.
These attacks may be external – think stereotypical Russian hacker, through to internal insider threats – someone not deliberately setting out to commit fraud in advance but seeing an opportunity and thinking ‘oh I could actually take advantage of this’ (opportunistic attacks). More and more attacks are happening every day, such as the Westpac story where almost 100,000 Australia’s private details were exposed in an attack on Westpac’s PayID.
Of course InfoSec also deals with the more deliberate attacks where we use the term ‘advanced persistent threat’, where an attacker may spend a lot of time surveilling an organisation, finding out a lot of information about them, who all the key people are and then they may conduct a number of phishing attacks to further find out information or probe for weaknesses until they gain a small foothold somewhere where they can launch a larger more damaging attack.
Has InfoSec changed over the years?
It is certainly getting harder and harder these days to protect people’s data, which is why organisations and consumers look to password management systems to help create more secure access to information. In all honesty though, these sites get attacked all the time. It’s getting so frequent that they barely make the news now when say, a million accounts stolen off some site. Then you have to ask yourself is there any point reporting that because last week 10 million accounts were stolen, as an example.
How is TAS addressing this threat for the organisations you serve?
Essentially, we ensure that the services we manage for customers have a large range of controls in place, and that they meet, or exceed, the standards and practices in place for information security in their sector. For TAS this is the Banking, Finance, Insurance and Securities (BFIS) sector, which is also heavily regulated.
One of the standards that has had a lot of focus recently is the VISA Payment Card Industry Data Security Standard (PCI DSS) which provides a very detailed set of controls (240 individual controls) that organisations must comply with. An external, independent Qualified Security Auditor (QSA) performs an audit of each of the controls against the requirements in the standard to assess our compliance against each. Once the QSA is satisfied that each one has been met, a report is produced to confirm TAS’ PCI DSS compliance posture. We achieved compliance last year, which means our clients know the services we perform for them are also compliant with PCI DSS. Achieving compliance is obviously just the first step – we now conduct a range of regular activities to maintain that compliance. Of course, that is only one set of standards, there are many many more!
More recently APRA, which governs financial institutions, has released their InfoSec standard, CPS 234, which financial institutions need to comply with. It is not as detailed as the PCI standard – it is broader and operates at a much higher level. APRA has also released a guide that accompanies CPS 234 that outlines ways financial institutions could achieve the various requirements.
Organisations can either do this compliance work themselves, or partner with a company like TAS in order to receive a level of assurance in some areas. What should companies be aware of when they are working with partners like TAS?
There are two key things to note:
- Firstly, financial institutions need to comply with the APRA CPS234 standard by 1 July 2019. As you can imagine, organisations are madly scrambling to reach compliance because it is going to be hard. If you’re a large enterprise, the scope of work is significant so it’s challenging, and if you’re a small organisation you’re under- resourced so it’s really difficult. But those organisations that partner with a managed service provider for those services, willhave an extension up to the contract renewal date or to the 1st of July 2020, whichever is earlier which is a good thing to be aware of
- Secondly, un the case of TAS, we’re owned by the financial services industry, and we are taking a very proactive approach to ensuring information security. It’s part of our mandate to help the financial services industry and provide effective and efficient services. Our primary consideration is how we look out for our clients and the industry overall, and we’re making sure that information security is a very core part of everything that we do. For every service that we provide information security forms a significant part. Furthermore, we have a continuous improvement program in place so that we’re always refining and enhancing our security capabilities and controls.
Why the increased focus on InfoSec? Is it because of the world we live in, or is there something else driving it?
There are a few things. One is that you do see InfoSec breaches regularly in the media, but I would say one of the key things driving change in Australia are the findings of the Banking Royal Commission. APRA is coming out pretty hard, and are keen to see organisations have more accountability and responsibility for information security and a whole range of other issues.
One of the drivers and deficiencies in many organisations, is that they don’t have the governance framework in place to provide the right level of assurance that they’re doing things the right way. For example, they don’t have the right checks in place to reassure themselves, they don’t have the right reporting through to the Board so the Board is, “blindly trusting” management. This was a key finding from the royal commission – don’t blindly trust anything – you need proper reporting and governance frameworks with some independent checks and balances in place to gain assurance that the right things are happening at the right time.
So, can you secure 100% data, 100% of the time?
I would love to say that yes you can especially as we are getting on top of things and the software, and software vendors are improving the level of controls with fewer bugs and vulnerabilities, and that people are becoming smarter and less likely to click on phishing email links or open unknown attachments, etc. Unfortunately, while some of that is true, the frequency and sophistication of attacks are also increasing. It’s an arms race in cyber space but it’s one that’s hard to win.
So while it may not be possible to secure 100% of data 100% of the time (considering the increasing sophistication of and capabilities of attackers) we are certainly making improvements and as more organisations are held to account they will look to providers like TAS to help them comply with the set standards to secure their data.