There is no question on the need to come up with a comprehensive security framework that would integrate cyber and physical systems in the banking sector.
There is no question on the need to come up with a comprehensive security framework that would integrate cyber and physical systems in the banking sector. Unfortunately, to implement such an effective framework, banks must overcome certain challenges.
For instance, legacy operating systems can be difficult for financial clients to justify replacing. If an access control platform, for example, isn’t investing in the cybersecurity feature set of their system, it can put clients in a tough position. A well-connected integrator with scale can help a client make sense of both the capabilities of their existing systems, as well as alternative platforms.
“In addition, there are many operating silos within financial institutions, with their own operating mandates and business objectives,” said Kevin Sheridan, Director of Financial Institution Services for Convergint. “Coordinating the cyber posture of those operating entities is absolutely essential. ATM/ITM groups, facilities, physical security departments, and IT might have different priorities, but they all utilize physical security systems to deliver services to their internal and external stakeholders.”
In the past, many of these operating silos used a variety of integrators, both regionally and within lines of business, but in today’s environment, the most risk-aware clients are single sourcing integration services such that the security protocols are uniform across the entire enterprise.
The human factor
Some of the other challenges include the lack of understanding, at a high-level, concerning the risks posed by insecure IoT devices, including IP cameras. Confusion is fueled by mixed messages from vendors about “strong cybersecurity credentials” when in truth some have cameras that are far from secure- with even some devices listed on websites revealing vulnerabilities or backdoors that can be exploited.
“Security is still too often seen as a cost, and therein lies the danger – it is a mistake to just provide a budget for a surveillance upgrade without fully considering cybersecurity threats,” said Joon Jun, President of the Global Business Division at IDIS
. “Equally dangerous may be avoiding decisions about upgrades or even maintenance, because strong security is not seen as a business asset. After disaster strikes, it’s too late for boards to discover that a successful cyber-attack via an IoT device, just like a physical attack, can be both disastrous and costly.”
What the systems integrator can do
Having seen the challenges, it is obvious that constant education, training, and skilling are essential. Every individual can essentially create a potential vulnerability, and a chain is only as strong as its weakest link.
According to Martin Koffijberg, Director, Business Development, Banking and Finance at Axis Communications
, this means that systems integrators (SI) need to work closely with the manufacturers of physical security equipment to stay abreast of both cybersecurity enhancements and potential vulnerabilities (and, critical, the action required to mitigate these).
“The way that security systems have been designed and manufactured has fundamentally changed over recent years,” Koffijberg said. “The importance of installation and commissioning security systems, combined with an understanding of how corporate networks need to be configured to protect the integrity of the device and network has changed, and human error poses the biggest risk.”
In other words, SI should prepare themselves by investing in technologies and top cyber talent on both the offensive and defensive sides, to better understand the risks that physical security devices can introduce into an organization’s network.
Kevin Sheridan, Director of Financial Institution Services for Convergint summed explained that technology investments in credential management, scalable enterprise patch management, and firmware deployment platforms, as well as detection and response capabilities, are some of the tools needed to help reduce the risks often associated with physical security devices.
“Follow a tried and true published standard; such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework,” Sheridan added. “It provides a common language that allows staff at all levels within an organization - and at all points in a supply chain - to develop a shared understanding of their cybersecurity risks. The Framework not only helps financial organizations understand their cybersecurity risks (threats, vulnerabilities, and impacts) but how to reduce these risks with customized measures.”