Managed IT Security in Focus08.05.2013
Cyber threats are filtering down to smaller capital markets participants – and everyone they are connected to – and increasingly, trading and investing firms are turning to third-party providers to manage the security of their information technology.
The economic recovery remains tenuous and market conditions less than robust, but IT security is seen as mission-critical, especially as the external threat is more complex and sophisticated than ever.
“For every event that makes the front page, there are 100 that don’t,” said Roji Oommen, senior director of financial services solutions at Savvis, a provider of IT infrastructure. “Big changes are needed to protect business — the conversation has changed from ‘have you applied the patch?’ to the mitigation of risk overall.”
Financial regulators are mandating that firms must declare any material risk to their networks and clients. And there is heightened vigilance on the part of the industry itself – for instance, a pension fund will apply rigorous due diligence when selecting a hedge fund, including whether mechanisms are in place to assure data, systems and connections are protected.
Cyber attacks directed at the financial sector may attempt to infiltrate and contaminate databases, disseminate false information, or disrupt trading. Organized crime rings and nation-states wanting to damage the economic infrastructure of the U.S. can be well-funded and patient, Oommen told Markets Media.
Five individuals from an Eastern European hacking ring recently were charged by U.S. authorities with breaking into the servers of more than a dozen companies and stealing credit-card numbers; one of the suspects had also infiltrated Nasdaq OMX servers. According to a recent survey conducted by an exchange industry group, 53% of bourses reported they had experienced a cyber attack in the past year.
Crashing websites and fraudulently moving money between accounts, the historical raison d’etre for computer hackers historically, is kid stuff to today’s perpetrators. “The threat profile has completely changed,” Oommen said.
Owned by CenturyLink, the third-largest U.S. telecommunications company, Savvis has media, government, software and retail business segments in addition to financial. Based in a suburb of St. Louis, Savvis is plugged in to IT-security reviews from the U.S. Department of Defense, the FBI, Department of Homeland Security, the Commerce Department, and the White House. “We are one of three organizations able to share threats via a national threat hotline,” Oommen said.
Savvis’ IT-security consulting entails framing what an attack might look like and understanding the tools used by the other side as well as the broader threat, Oommen indicated. For a customer, it’s important to balance cost and vulnerabilities to gain the appropriate level of protection without allocating an inordinately large budget item.
While banks, exchanges and institutions are comparatively well-connected and often share best IT security practices, “in the trading world, it has not been a primary area of focus, outside of securing customer data,” Oommen said. “You’ll see much more activity from us in helping clients assess their appetite for risk,” and in applying appropriate protections, he said.
To add agility to the constantly changing cyber security component, Savvis is helping define best practices for IT security managed services, and notes that there is cooperation across industries and between competitors on this front. “Chief security officers all know each other. It’s an informed network,” Oommen said.
Savvis’ managed-services plans include stepping up educational efforts and adding complementary IT security services to its other core enterprise cloud computing, managed hosting, co-location and network services, said Tony Kroell, senior director of industry marketing at the firm.