The COVID-19 pandemic has hit the banking sector hard. Not only in terms of demand but also, being an essential services provider, the requirement to continue with business as usual by providing work from home (WFH) to most of the employees, poses a massive security and risk management challenge for CIOs and CISOs. Express Computer speaks with Bharat Panchal, Chief Risk Officer – India, ME & Africa, FIS on how CIOs, CROs and CISOs can tread the path in these difficult times.
He was SVP and Head – Risk and Compliance with NPCI and has also served on the board of advisors of the PCI Security Standards Council. He has over two decades of experience in the area of information security, risk and compliance.
FIS works with some of the top financial institutions in India. When asked about Panchal’s immediate conversations with senior bankers post the lockdown, he said, every bank had their respective issue. There wasn’t an underlying theme. The priority was to run the operations in a business as usual (BAU) mode. ‘Availability’ was on top of the mind and a key requirement for banks, be it operations, technology, security, etc.
So what are the concerns on the side of availability? Panchal says, The DR sites can operate for a few hours but they aren’t designed to run as a primary site for an extended period of time. The same is the case with a WFH scenario, especially when most of the workforce is working from home. Even then, for MNCs there is a possibility of running from sites overseas but even that is a remote possibility because this is a global issue. This is first time in history that countries across continents are under a lockdown. “Everything cant be run remotely, using virtual tools. Human intervention is also needed to make it work given the circumstances and the scale of the problem,” says Panchal. Human intervention is required to adjust and operate the power, utility and there are certain checks and balances to be carried out at the physical site. The data centre has to be run under specific parameters.
The scenario of running operations remotely is not that easy, “There are issues of Infrastructure availability, readiness and sizing to meet the requirements,” says Panchal.
Security professionals don’t usually, openly advocate WFH because of the security implications it may have. WFH facility should only be given to a select few employees. “Now when thousands of employees are working from home, banks are having concerns about availability of the systems and thus availability of staff at the primary site is required,” says Panchal.
Zero trust: The way to go
So, from now on, what should be the approach of the CISOs and CIOs ?, Panchal suggests, it’s important to bifurcate the essential from the non-essential, “CIOs and CISOs should take a call and zero-in on systems that are critical. Everything is not critical. The critical systems should be allowed to be accessed with reasonable and adequate controls to be run from the remote or alternate sites,” suggests Panchal.
Secondly a continuous vigil should be maintained on the employee activities. Companies may have done trade- offs in terms of allowing employees to use personal devices. It becomes critical to have visibility on what’s happening on the network.
While the business continuity has to be maintained, it has to be done by being cognizant about the security ramifications.
The concept of zero trust security framework has to be further enhanced in the pandemic environment. “When there are chances of adoption of devices which are not properly assessed and devoid of security compliance, the importance of zero trust mentality is even more important,” feels Panchal. The authentication mechanism has to be strengthened further, because the location of the employee is not known. Apart from the physical presence, the logical presence of the employees also has to be registered and access has to be given accordingly. For e.g. The CEO, when working remotely should not be given access to the CBS or the database. The CEO’s role doesn’t require that access. This is zero trust in its truest sense.
Secondly, access for devices having an old version of Windows OS, for which support is no longer available, should not be allowed in the network.
In this time of crises, a zero trust environment should be pursued with much more vigour. In the hurry to maintain business continuity, a small mistake, can open up a sliver of opportunity for the hackers. It can have a disastrous impact on companies.