Saturday 7 December 2013

Royal Bank of Scotland - When Modern Hackers meet Outdated Bankers

"As he apologised, RBS boss Ross McEwan admitted the bank had failed to invest in IT systems for decades."



This is one of the reasons why systems in organizations easily failed and get compromised. The failure to invest in IT systems is not just a problem for Ross McEwan but also with other CEOs or bosses. Many simply sees it as something troublesome and still adopting the idea that 'If nothing is wrong with it, why change?'. While it may be true depending on how one applies that theory, in this new generation of increasing threats and cyber criminals, that idea must no longer be practiced. 

Cyber threats are always increasing no matter how secure we think we are. One of the ways to counter these threats is to periodically upgrade and update the systems and servers in the organizations. Bankers should not just focus on the physical aspects of security such as advance money safes, patrolling guards be it human or electronic, security cameras and etc but also the IT aspects of it. This may be in the forms of management of patches, upgrading of OS to the latest available, performing periodic system security assessments and audits and complying to security standards. 

I have seen big companies still using unsupported versions of operating systems such as Windows XP. I have seen how critical services using Windows platform to serve as its host. I have seen how huge organizations still using the likes of Windows 2000 despite its now the year 2013. Of course one of the reasons why bosses do not want to change it is because of the amount of work and money to be invested in. Questions like will it support their current software, will there be an issue upgrading from this to that, will the migration be a painful process and some raise concerns such as whether hiring vendors to support in the migration, can they be trusted, how can they guarantee whether or not their data will not be leaked by these external parties.

The answer is not as easy as one might think but this is where trust comes into play. Agreement documents such as the NDA (Non Disclosure Agreement) and many legal aspects of it will play a part in the human-relationship aspects of it. Bosses should not take advantage of their current security posture into thinking "Why should i change when we have not been compromised before?"... that thinking will definitely be the beginning of the downfall and potential cyber criminals may eventually take advantage of that. Bosses should now think that they would rather 'waste' their money securing and upgrading their systems rather than millions of money being stolen and worse, customers impacted by it will switch banks because of such incidents leaving the affected bank/s into a dilemma situation and meltdown.

Money is no longer just a physical thing. Transactions are frequently made in Ones and Zeros in the digital world and financial organizations responsible in guarding these money should not just ensure that their physical safe is secured but also ensure that the electronic aspects of it are digitally secured as well. 

To quote Richard A. Clarke, the author of Cyber War - “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked."

No comments:

Post a Comment