The latest hack to create a storm with the media and analysts alike is that of a large bank in the United Arab Emirates, reported to be Invest Bank. With large amounts of data, including tens of thousands of customer files, now in the public domain, it’s easy to see how the hack of this bank is a wake up call for all organisations, including financial institutions, to put serious security measures in place to contain breaches once they occur.
With data including full names, credit card numbers and birthdays involved in the breach, it’s clearly a sensitive issue; if anything has been learnt from the recent TalkTalk breach, it’s that it’s no easy task to tell customers that their private information, which they thought could be trusted, is now not so secret anymore.
So, what can banks and financial institutions across the globe learn from this? Something that isn’t easy to come to terms with, but that is an unfortunate fact, is that it’s inevitable that breaches are going to happen. So, the issue is not one of breach prevention or detection, but one of breach containment: how can organisations limit the scope of a breach and keep it to a manageable segment, instead of a system-wide disaster?
A change in mind-set is needed here. In order to achieve a breach containment model, organisations need to think differently about the security architecture design. With a focus on users and applications, rather than the network itself, organisations can use cryptographic segmentation to ensure only privileged users have access to privileged applications or information. With this strategy, the organisation knows immediately the extent of the breach and the data/users/applications affected.
Could a different approach to security have limited the scope of this hack? Who knows. However, one thing is for certain: organisations must adopt a software-defined security strategy in order to stay ahead of the game. If they don’t, they face the probability of becoming another organisation to hit the hacking headlines, and for organisations holding vast amounts of sensitive customer data, this is no longer an option.
Paul German, VP EMEA, Certes Networks