With the global threat to online security seemingly at an all-time high, Quintis Venter, a senior software engineer at ThoughtWorks argues that the threat to the financial services industry stems from technological deficiencies as a natural consequence of internal resistance to change.
So how secure are online banking apps? They’re not. Many applications are technically secure, but it is important to understand that security is not just a technology problem.
The reality is that there are two kinds of organisations today: those that have been hacked and those that will be. Armed with the knowledge gained from the daily experience of repelling a multitude of attempts to breach their security systems, financial services providers are undoubtedly at risk.
This is largely due to the dramatic rise in breaches of security that have become commonplace over the last few years. Security of connected applications and websites cannot be assumed, especially not when considering recent revelations of security holes in standards such as SSL.
But despite this barrage of determined attempts to undermine their systems, financial institutions are well placed technologically. The big question is whether they are as well integrated organisationally.
The industry is well regulated in terms of compliance and risk management practices. Unfortunately this has had the effect of throwing up barriers between key departments in these organisations. It is standard practice for IT operations to work in isolation. Ditto for Information Security operations, software development teams, etc.
In my opinion, the lack of integration between these departments inside organisations is the single biggest challenge to both efficiency and security.
Unfortunately, traditional banking organisations still tend to see security as a checklist of things to do, which does not translate into a fundamental understanding of security.
The departure point tends to be: are we compliant from a regulatory point of view? And the answer is invariably in the affirmative. The problem is that while this approach enables executives to tick the right boxes, it draws attention away from the bigger opportunity to present an integrated technological response.
Given the increasing demands on organisations to meet customer demands for a seamless experience – irrespective of their chosen access channel, whether from a desktop or laptop computer, tablet or mobile phone – these silos deprive the organisation of seeing the effect one action has on other department until it’s too late.
This interoperability between access channels is an ideal that financial institutions need to mirror by ridding themselves of the barriers between the IT department and their counterparts in development operations and security operations.
Achieving this ideal is by no means easy, which is one of the reasons that financial institutions are struggling to make the transition.
Apart from the mind-set change required, it is also highly dependent on having poly-skilled technologists employed in these roles. This means having people who are not only technically excellent, but are also able to grasp the impact across the entire transaction chain.
All of these factors combine to create a situation in which mobile and web apps are secure in at least one way. There is certainly room for improvement.
Organisations typically separate security elements – code review, penetration testing, etc. – from day to day development practices. This will not do.
Security is never “done”; not something you do, like implementing a new feature. Embedding security practices in the day to day tasks of software delivery requires a drastic change in mind-set and an even more drastic change in transparency across technology and business siloes.
The good news is that organisations are becoming more aware of these requirements and are, more importantly, acknowledging them as such. The difficulty lies in successfully making the transition.
Connected applications and the transactions they facilitate are as secure as the visibility level from silo to silo.
Until organisations adopt a radical reorganisation of their internal practices, the ability to head off and respond to threats will likely remain higher than they can afford, and higher than their customers will accept.