Front Lines of Cybersecurity
Author(s): Stephen Migliore, Posted on March 15th, 2017
Last week, more than 500 executives from various banks, securities firms, and asset management companies gathered to hear Tom Patterson, Chief Trust Officer at Unisys, speak at the Securities Industry Institute® (SII) executive development program hosted by SIFMA and the Wharton School of Business. The cybersecurity topics: predicative analytics, segmenting the enterprise and advanced identity systems.
Tom, a well-known cyber futurist, made some interesting comments on how the banking industry is in an “analytics space race” and how AI and advanced analytics are re-shaping the industry. Some interesting discussion regarding privacy and “who owns the data” ensued and Tom pointed out that all too often we unwittingly give permission for others to use and profit from our data, without fully realizing it. He pointed out that many smart-phone apps ask for far too many device and data permissions, and how that is now spreading into the rest of our devices. He told a story of how his new big-screen TV asked him to press enter to grant permission to collect data about his TV viewing habits. Not obvious, 4 levels deep in the configuration menu was how to “Not accept.”
Gain Trust through Micro-segmentation
Tom discussed how banks and insurance companies around the world are starting to reduce their risk of catastrophe by separating their enterprise networks into many secured ‘segments’, demonstrating the ease and importance of utilizing encryption at rest and in motion, to create “trusted security zones.” Many of the biggest security breaches in recent years would not have had such negative outcomes had micro-segmentation been in place. He referenced new software-based micro-segmentation technologies that can improve security, simplify management, provide agility, and lower the cost of operations.
The importance of proper segmentation and fine-grained security policies is increasing and getting more difficult in the Internet of Things (IoT) world of innumerable connected devices. These devices often have very weak security and default passwords, such as “none” or the much-favored “1234.” Microsegmentation is a requirement to easily separate these IoT devices on enterprise networks, securing sensitive systems while allowing agile and efficient devices to work.
Passwords are easily lost, stolen, or forgotten
The topic that stimulated the most discussion among the executives who were present was “the dreaded password.” The simple fact is, “We just can’t trust our brains to remember all of our passwords.” In fact, Tom noted that over the past 20 years, corporate password policies intended to protect data have had the opposite effect: minimum length, frequency of change, and complexity have all resulted in passwords that are harder to remember yet easier for bad guys to steal.
Why are they easier to steal? Because, as Tom stated, “Once we find our favorite password, we use it over and over again.” With a smile, he pleaded with the audience, “If there is one key lesson you learn from this talk, it is to never, never use the same password for multiple accounts.”
He shared an easy way to remember passwords: use a pass-phrase combining the name of someone you know, where you met them, and when you met them. Then, periodically rotate these components.
Security and Convenience need not be mutually exclusive – Biometrics is the way forward
Because financial institutions recognize the problem with passwords, “biometric identification processes have become a top priority.” According to Tom, “Last year, leading the way was fingerprint, largely because of smart-phones and touch-ID. This year it looks to be voice, because voice is widely accepted by customers and available across multiple channels.
Biometric technology is evolving rapidly, and the future will see adoption of new and better biometric modes including behavioral-based mechanisms such as how you type, walk, or sign your name. More advanced biometric mechanisms that may not be technically-feasible or cost-effective today include verifications involving heart rate, hand geometry, or matching the veins visible from the surface of your skin.
Tom made the point that, “enterprise biometric identity systems” need to designed and implemented so they are future-proof. They need to be component-based, support multiple channels, have an open interface, and support the easy integration of different biometric modes and the combination of multiple modes, based on transaction risk.”
Bringing Cybersecurity from the Classroom to the Boardroom
The interest and engagement of the executives in the room was almost tangible. Tom concluded by affirming that, when done correctly, security is an enabler of business. It delivers a better user experience, business agility, operational efficiency, and lower cost, all while reducing IT risk and complexity.