Symantec's report on the state of information security for financial institutions in India highlights compliance and governance, the changing threat landscape and the endpoint explosion of new online and mobile channels as the top threats.
In order to mitigate those risks, institutions must have a robust governance and risk management framework in place, Naik says. Another area is around identity and information. "What's happening really is the focus is moving from protecting the infrastructure to protecting the information and the identity of people accessing that information," Naik says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
The regulatory bodies in India, such as the Reserve Bank of India, are also working to improve the security posture of financial institutions. RBI's guidance, which financial institutions must adhere to by Oct. 31, is urging banks to have defined IT governance frameworks and checks and measures in place to tackle various types of fraud.
"Our advice, our guidance to ... institutions, is around creating a policy-based framework which is identity and information-centric and well managed across the physical, virtual or cloud infrastructure," he says.
In an exclusive interview, Naik discusses:
- Highlights of Symantec's new report on information security in financial services;
- Today's biggest threats to Indian institutions;
- Key emerging technologies that can assist institutions in tackling these threats.
Naik spearheads Symantec's sales for West of India and Technology Sales for India & SAARC. He is responsible for planning and execution of pre-sales, technical consulting and architecture support for enterprises and consumers in the SAARC Region. He is also responsible for building technical capacity and enablement for Symantec partner community.
Having spent over 17 years in the IT industry, Anand has been with Symantec for over five years now. He has been associated with sales, consulting and pre-sales roles, with an in depth understanding and active participation in strategic planning and execution with customers. Anand brings experience and expertise in transforming customer's business challenges into IT solutions that can help achieve immediate and long term success for IT deployments. He is also responsible for providing technical thought leadership for strategic sales opportunities.
TOM FIELD: To begin with, would you tell us a little about yourself and your own experience in information security please?
ANAND NAIK: I'm with Symantec as director of technology sales for India. For the last six years I have been with Symantec and I deal with customers across the country in different verticals on consulting about their security posture, about the architectures of their environment and everything related to breaches and technology consulting solutions that Symantec offers to our customers here. I have total industry experience of close to 18 years in the field of data centers, IT management and security.
India's Information Security PostureFIELD: Symantec has just released a new report on information security in financial services. What can you tell us about the highlights of this report?
NAIK: If you look at the financial services sector in India, on one side we have a very tight regulatory environment. If you look at banking industry within the financial services sector, we have our federal bank, the Reserve Bank of India, which has come out with its mandate around information security, IT governance, audit and compliance needs that the banks need to adhere to. On the insurance side of the financial services, we have the Indian IRDA [Insurance Regulatory and Development Authority] which is the regulatory authority for insurance in the country. On the financial services security market, we have SEBI [Securities and Exchange Board of India] which is the regulatory authority. These three regulatory authorities have come up with guidelines that corporations and the financial services sector need to adhere to in terms of their IT governance posture.
The second big challenge that financial services in India, as well as around the world, are facing is the changing threat landscape.
Biggest ThreatsFIELD: You mentioned the changing threat landscape. What do you see as the biggest threats to Indian institutions today?
NAIK: One is the regulatory environment that I was talking about. The second area is the changing threat landscape. In 2010 we saw close to 287 new unique malware around the world and a lot of that is targeted specifically to the financial services sector for obvious reasons of financial gains. The threat landscape is evolving and because of the Internet banking channels, you see the emergence of the threat landscape in the financial services sector as more targeted. The third big area that the financial services sector in India is addressing or is challenged with today is the new channels around Internet and mobile transactions that are growing in the country. India has close to 715 million mobile subscribers and as per the RBI guidelines, a lot of the banks are offering Internet banking and net banking services to some of these subscribers, and that rate of growth is very high. The explosion of endpoints, if you may, is another area that the financial services sector is challenged with.
The purpose of our report that we're discussing today was to go and identify these challenges around regulation, threat landscape and endpoint explosion. What are the banks doing? What are the financial services institutions doing to address that? Some of the findings that we have focused on are three key areas that have emerged as the key findings.
The first area is compliance and governance is clearly driving IT security adoption. Mandates are in place today by the regulatory bodies and they're expecting the institutions to abide by these mandates. The second area is malware threats are on the rise and these are the types that are proving costly and the various institutions are addressing this aspect proactively, to take advantage of the new channels of delivery in the system, but at the same time protecting their infrastructure. The third area is mobility which increases security risk and therefore, financial institutions need to be ready to address this. So the three key findings were compliance and governance driving IT security adoption, attacks are proving costly and mobility is posing a security risk.
FIELD: That's a great overview and I want to ask you about some particular areas. To start with, let's talk about the threats. You talked about the threat landscape in malware. What do you see as today's biggest threats to Indian financial institutions?
NAIK: In the cyber world, the specific threats that we have seen continue to be spear phishing, and phishing continues to be one of the largest and the biggest threats that we have seen. The second is areas around Trojans and specific executable files. These are some very specific things. The third are botnets. Of the three key threats that we're seeing, phishing remains the biggest and spear phishing is added to that list of phishing attacks. Specific Trojans like the ones that I mentioned, and botnets, these are the three main threats of malware propagation that the institutions are facing.
FIELD: How do you see the institutions responding to these threats?
NAIK: The positive side of this is a lot of institutions today have awareness about the challenges that these threats bring in, and therefore they're trying to put in place robust information security measures. One of the first steps, which again the regulators have aided the banks in terms of defining the step, is the banks are really finding the IT architecture to ensure that when new delivery channels are added, which is Internet banking or mobile banking, when these new channels are added the IT architecture and the security architecture that banks have or financial institutions have address some of the vulnerabilities that these new delivery channels bring in. Clearly, the regulator is helping by putting in place some guidance. And the institutions by themselves are aware. They're now putting in place robust information security measures by identifying their architecture and then identifying the gaps and addressing those gaps effectively.
Biggest ChallengesFIELD: Where do you see the institutions having their biggest challenges in overcoming these threats?
NAIK: Most of the financial institutions by nature of their business have a lot of legacy to manage, managing this legacy in terms of the applications that they use, in terms of the processes that they follow and also some of the existing procedures that bank follows in a physical world. When you translate that into an Internet world and mobile world, dealing with those changes, the procedures and the technical aspects of it, is an area that today we're trying to address. Then there's more awareness that they are trying to build in, and again, I would like to stress that the regulators are helping them by defining some of these frameworks which can be uniform across the industry.
FIELD: What do you see as some of the key emerging technologies or solutions that can help the financial institutions in their efforts?
NAIK: The first area that I think people are made aware of and they're also waking up to in this reality is to have a robust governance and risk management framework in place, technology that can help automate their policies, their technical and procedural aspects of latest controls that they have and with the regulations that they need to meet. That's one big technology focus that they're trying to address.
The second big area is around identity and information. They're looking at technologies like multifactor authentication. When different customers come through different channels within their infrastructure or within their environment, technology like encryption or data loss prevention, or some of the data technologies around archival and data lifecycle management, were the focus issue. What's happening really is the focus is moving from protecting the infrastructure to protecting the information and the identity of people accessing that information through a robust policy and governance framework. Those are the technology changes that today the institutions are probably ruling out or re-defining within their architecture.
RBI GuidelinesFIELD: Earlier in our conversation you talked about the new guidelines from RBI. What impact do you expect these guidelines to have on institutions? I know that they're demanding guidelines and the deadlines are aggressive.
NAIK: Yes. The RBI guidelines have six areas. The first is around defining an IT governance framework which is based on certain industry standards like Cobit and ISO. More importantly, taking this entire IT governance stream work and making it a part of the overall risk assessment framework that the bank may have is one important aspect. For the first time, this guideline defines the ownership of the IT governance framework as a part of the holistic posture of the bank and the ownership therefore reaches right up to the board level, or to the CEO's level.
The second area of the guideline covers information security, audit and cyber fraud. There are specific pointers that are highlighted on information security, audit and cyber fraud in terms of how to deal with it, what are the checks and measures that need to be in place, and what are the technologies that one needs to look at.
The third big area addresses IT operations through robust IT service management, IT service outsourcing guidelines. For the first time we have a clear IT service outsourcing guideline in place and business continuity planning. If you look at the RBI guidelines, it's quite holistic as you said rightly. It's time-bound and therefore a little demanding. The first milestone that all the banks are expected to reach is by the 31st of October. They're expected to come out with a gap analysis and put in place a structure around IT governance, information security and audit framework for the bank, and then subsequently, depending on the various readiness of where they are, go and implement some of these technologies and processes that are required to make those guidelines and to bridge those gaps that the banks and various institutions identified. That's what the guideline is. It's a mandate and therefore a lot of the technologies, a lot of the processes, need to be adhered to by going in and building an information guidance and security framework.
Advice For InstitutionsFIELD: If you could boil it down, what advice would you offer to institutions that are looking now to improve their information security posture?
NAIK: As can be clearly seen if you look at revisiting the challenges, regulation is an area that we spoke of quite a lot. The changing threat landscape is constantly evolving and it's something that the banks have to keep in mind. The threat landscape is now targeting the information which is being sold on different types of endpoints by or for the bank's customers. Clearly with these challenges in mind, the advice that we would like to give is for the banks and for the institutions to have a policy-based governance framework, which is focused on identity and information. There needs to be a clear shift from infrastructure security to identity and information security. And it still needs to be well-managed across our physical infrastructure or virtual or cloud infrastructure. Our advice, our guidance to the people of the banks and institutions, is around creating a policy-based framework which is identity and information-centric and well managed across the physical, virtual or cloud infrastructure.