Security Experts:

When it Comes to Business Defense, Simplicity is the Watchword

Enterprises Must go Beyond the Perimeter and Worry About the Surface Area that is Open for Attack and the Challenge of Detecting Attacks Quickly

Cyber security, fraud prevention, compliance with regulations, and anti-money laundering measures are all facets of business defense. Failures in any one of these and a company could be facing significant fines, reputational damage and extensive forensic and remediation costs. For financial services firms, this could mean a ten-year hangover in terms of Operational Risk Capital. The challenges are many and the solutions are not simple.

Yet, simplicity is key to business defense. Complexity, in terms of the number of distinct systems, processes, data repositories, vendor relationships and other variables are opportunities for exploitation. Simplicity is also key in the new layered defense mode – where the outer layers reduce the likelihood of a successful exploit, and the inner layers find the exploits that evade your other controls.

We’ve heard many times about defense of the perimeter--the idea that we need to keep bad people out of systems. But the perimeter is not the only consideration. You must also consider surface area and topology.

Data Center SecurityYour company’s surface area increases with every device and application that you support – especially if they are all connected. Cyber attacks on corporate systems have come from systems as varied as third party suppliers and Point-of-Sale systems, although they are more likely to come from an infected email or a corrupted website.

Your security processes become strained by the number of devices and systems. Make sure one thousand PCs are patched; how about ten thousand? Deal with dozens of BYOD device types; how about hundreds? Add a new development environment or language to the existing one when each one has different vulnerabilities and requires different processes to secure them?

Complexity also makes it harder to spot anomalies in the system. It’s one of the reasons why break-out fraud and money laundering use hundreds of accounts and transactions. Criminals do their best to hide their activities by hiding in plain sight; mimicking the normal behaviors at the micro level. It’s only at the macro level that the fraudulent patterns emerge. The more systems and processes you have the harder it is to get that macro view; not to mention more costly and time consuming.

Complexity hampers your controls in another way as well. If your control specialists (AML investigators, fraud investigators, and cyber security experts) spend their time acquiring data from different systems or switching between systems to do their jobs they are less effective. A standard response is to dedicate resources to a specific business line or even to specific systems. Unfortunately, this creates silos of information that hamper detection at the macro level. The push for convergence cites the elimination of information silos and an increase in investigator productivity as one of the driving forces.

So are you damned if you do and damned if you don’t? Not really – just follow Albert Einstein’s guidance, “Everything should be as simple as it can be, but not simpler.”  Constantly look for ways to simplify your environment including infrastructure, applications and business processes--then work to keep those systems secure. When constructing business cases, include the benefits of reduced risk and lower potential capital costs as part of your business rationale. From a personnel perspective, reward the people that simplify on par with those delivering the latest functionality.

In today’s hyper-connected world it’s not sufficient to worry only about the perimeter. We have to assume that fraudsters and criminals will evade some of our defenses. Therefore, we have to worry about the surface area that is open for attack and the challenge of detecting attacks quickly when they are occurring. In every instance simplification will help.

Related: Complexity is the Enemy of Security

view counter
Bill Sweeney is the US financial services evangelist of BAE Systems Applied Intelligence and is entrusted with cultivating innovative technology solutions in cyber security, fraud prevention and regulatory compliance for buy- and sell-side professionals worldwide. For more than 20 years, Bill has leveraged emerging and state-of-the-art software and services to empower and transform investment operations as well as control risks. He has served as CIO and CTO for a number of marquee-name banks, hedge funds and Wall Street firms. Prior to joining BAE Systems Applied Intelligence, Bill served as chief information officer of compliance and legal technology for Citi. From 2008 to 2012, he was director of research technology for hedge fund Bridgewater Associates. In addition to serving in senior roles for several technology boutiques, Bill also was CTO of HSBC. He is a graduate of Manhattan College and earned his master’s degree in computer science from the University of Southern California.