- Email: [email protected]
Bank mainframes under threat
NEWS ...Continued from front page People with security qualifications and experience can command high salaries: in Europe, a third of information security specialists receive salaries of over E95,000 a year. This is driven by demand that is also leading to qualified people moving between jobs frequently, with 21% of the global workforce saying they had changed jobs in the past year. Experience is crucial, as 92% of the managers doing the hiring admit that they put a premium on experience over qualifications, making it difficult for newcomers to break into the field. Around half of hiring managers also said they rely heavily on social and professional networks in finding suitable people. The report also says there is a mismatch between the skills that organisations are seeking and those that are the main priorities for workers themselves. Security practitioners currently see cloud computing security (60%) and risk assessment and management (41%) as the major concerns, while for organisations the focus is on communication (66%) and analytical skills (59%). “News of a huge gap in cyber-security experts in Europe by 2022 is at best concerning and at worst societally destructive,” said Claire Stead, online safety expert at Smoothwall. “Hospitals, schools, businesses and governments will all feel the effect of a depleted cybersecurity force if this hole isn’t filled properly. Without the adequate number of cyber experts, security breaches may well become the norm for our National Health Service, businesses and elections.” She added: “The everyday consumer will feel the effect of a depleted cybersecurity system too; their savings in a bank could be compromised, their personal data stolen from hospital records for ‘social engineering’ or addresses and payment details stolen from a business’ database. Data exposure was one of the chief security concerns within the report, which is why companies must build a layered defence spanning encryption, firewalls, web filtering and ongoing threat monitoring to protect their most valuable asset: data. People need to be incentivised to train in cyber-security.” The GISWS project has also issued a report on women in cyber-security.
June 2017
Among its findings are that women are generally more highly qualified than their male counterparts, but 51% of them have experienced some form of discrimination. Women comprise only 11% of the information security workforce and earn less than men at every level. There is more information here: https://iamcybersafe.org/GISWS/.
UK data breach fines double
A
s we approach the full implementation of the EU’s General Data Protection Regulation (GDPR) in spring of next year, analysis by PwC has shown that the UK was (with Italy) the most active region in Europe for regulatory enforcement of data breach rules.
The Information Commissioner’s Office (ICO) imposed 35 fines totalling £3.25m in 2016 – double the value of fines, of which there were 23, in the previous year. There were nine fines in 2015. “The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” said Stewart Room, PwC’s global cyber-security and data protection legal services leader. “It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?” These figures still pale into insignificance when compared to the US where organisations received fines of around $250m in 2016, although the regulatory environment there is more complex, with many of the laws being state-based. However, in 2018 all European firms will become liable to penalties under the GDPR which can reach 4% of global turnover or €20m, whichever is the greater. Even after the UK has left the EU, the country is likely to implement a similar law and the GDPR will remain
applicable to any firm that does business or stores data on people in the EU.
Bank mainframes under threat
M
ost financial services CIOs believe that their mainframe systems are more secure than other platforms, but more than threequarters of them say they are still exposed to a significant risk of insider threats due to blind-spots in internal data access and controls.
Research by Vanson Bourne on behalf of Compuware found that 59% of organisations in financial services use the mainframe as a core repository of their most sensitive data, storing either more or equal amounts of customers’ personally identifiable information (PII) there as they do on other systems. Some 86% of the organisations said their mainframe is more secure than other systems, with a further 14% saying it was equally secure – which is why they put their most sensitive data there. However, 78% of firms said they have a ‘blind spot’ concerning what mainframe data is being accessed and how it’s being used. In addition, 84% also find it difficult to track who has accessed data stored on the mainframe, exposing them to an increased risk of insider threats. “The mainframe has always been the most securable platform in the enterprise, which is why organisations continue to entrust their most sensitive data to it,” said John Crossno, product manager, Compuware. “However, businesses still face the risk that privileged employees, or those who have acquired access illegally, will misuse mainframe data.” The research also revealed that the most common measures being used to overcome insider security risks include: saving security log files for future reference (79%); regularly scanning security logs for inconsistencies (68%); using a SIEM system to perform security analytics using mainframe data (80%); and using a SIEM system to combine mainframe data with security data from other systems (45%). However, just 2% of financial services organisations monitor user and database activity to tackle insider threats on the mainframe.
Computer Fraud & Security
3
June 2017
Among its findings are that women are generally more highly qualified than their male counterparts, but 51% of them have experienced some form of discrimination. Women comprise only 11% of the information security workforce and earn less than men at every level. There is more information here: https://iamcybersafe.org/GISWS/.
UK data breach fines double
A
s we approach the full implementation of the EU’s General Data Protection Regulation (GDPR) in spring of next year, analysis by PwC has shown that the UK was (with Italy) the most active region in Europe for regulatory enforcement of data breach rules.
The Information Commissioner’s Office (ICO) imposed 35 fines totalling £3.25m in 2016 – double the value of fines, of which there were 23, in the previous year. There were nine fines in 2015. “The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” said Stewart Room, PwC’s global cyber-security and data protection legal services leader. “It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?” These figures still pale into insignificance when compared to the US where organisations received fines of around $250m in 2016, although the regulatory environment there is more complex, with many of the laws being state-based. However, in 2018 all European firms will become liable to penalties under the GDPR which can reach 4% of global turnover or €20m, whichever is the greater. Even after the UK has left the EU, the country is likely to implement a similar law and the GDPR will remain
applicable to any firm that does business or stores data on people in the EU.
Bank mainframes under threat
M
ost financial services CIOs believe that their mainframe systems are more secure than other platforms, but more than threequarters of them say they are still exposed to a significant risk of insider threats due to blind-spots in internal data access and controls.
Research by Vanson Bourne on behalf of Compuware found that 59% of organisations in financial services use the mainframe as a core repository of their most sensitive data, storing either more or equal amounts of customers’ personally identifiable information (PII) there as they do on other systems. Some 86% of the organisations said their mainframe is more secure than other systems, with a further 14% saying it was equally secure – which is why they put their most sensitive data there. However, 78% of firms said they have a ‘blind spot’ concerning what mainframe data is being accessed and how it’s being used. In addition, 84% also find it difficult to track who has accessed data stored on the mainframe, exposing them to an increased risk of insider threats. “The mainframe has always been the most securable platform in the enterprise, which is why organisations continue to entrust their most sensitive data to it,” said John Crossno, product manager, Compuware. “However, businesses still face the risk that privileged employees, or those who have acquired access illegally, will misuse mainframe data.” The research also revealed that the most common measures being used to overcome insider security risks include: saving security log files for future reference (79%); regularly scanning security logs for inconsistencies (68%); using a SIEM system to perform security analytics using mainframe data (80%); and using a SIEM system to combine mainframe data with security data from other systems (45%). However, just 2% of financial services organisations monitor user and database activity to tackle insider threats on the mainframe.
Computer Fraud & Security
3