As businesses move more of their operations online, the importance of a strong and reliable security system has become an essential part of a company’s strategy. With highly valuable information being exchanged, businesses are investing more and more into ensuring that such data is properly secured. Nowhere is this more apparent than in the financial services industry, where vast quantities of money and classified information are exchanged constantly throughout the day.
World Finance spoke to Mark Graff, Chief Information Security Officer (CISO) at NASDAQ OMX, which is one of the world’s leading providers of trading and exchange technology, about the challenges facing businesses in the online world.
What is NASDAQ OMX’s approach to information security?
There are a couple of principles that we follow. The goal is to develop and execute a comprehensive, multi-layered plan. One of the things that we pride ourselves on is doing that based on an analysis of threats and we also work very hard to design and position security counter measures with a clear eye towards risks. Our goal is always to deploy multiple sets of counter measures, and to invest our security resources proportionately to the risks associated with the specific assets. There’s a certain baseline of best practice and of due diligence. Then the art comes in anticipating where an attack or compromise might be attempted and tuning that baseline to protect against them.
There are criminal organisations that would love to be able to influence what we do
What are the biggest cyber-threats facing your industry?
We break threats down in terms of confidentiality, integrity and availability. Those are the three things that we’re trying to preserve. The confidentiality of client data, the integrity of information – such as orders and trades – and then there is the availability of the system. We are very focused on protecting the confidentiality of the information that’s been entrusted to us. Therefore, what we look for is who might try to disrupt those things, such as the markets.
There are criminal organisations that would love to be able to influence what we do, there are nation states that might want to be able to influence markets. Those are the sorts of factors that get our attention when we plan our counter measures. When you talk about specific threats, there have been many attacks against the US financial industry. I’m also in contact with the security experts at stock exchanges around the world. We’re all seeing the so-called Distributed Denial of Service (DDoS) attacks, where somebody throws a vast amount of data at outward-facing websites, in an attempt to disrupt those services.
The first thing I would say is that those outward facing websites are not connected to the market or trading systems. We do however, supply real time services to our customers for these outward facing websites. All around the world, the financial industry has been subjected to these floods of data, and so we’ve had a good record of withstanding them compared to our peers. We’re always working to understand the threats better, and to hone our defences.
What steps can companies take to protect themselves against such threats?
There are proven concrete measures, and some of them aren’t too complicated or expensive. I think good threat intelligence will really help you plan. The fundamentals today, with regards to anyone that has a website that provides real-time services, are that they want to work with internet service providers or other specialist firms to provide extra buffers that make it difficult for someone to successfully attack the availability of those servers.
If you’re talking about somebody trying to break into your network, which is different to a DDoS attack, then today the most popular element is for people to send ‘phishing’ emails. These try and convince somebody to click on a link that will take them to a website that will compromise their system. We have lots of layers of technical protection that make it extremely difficult to succeed in breaking into the network, but I really put a lot of faith in good training. This involves making people aware of particular threats.
We also rather enjoy sending fake phishing emails from inside our company to our own employees, trying to lure them into clicking on a link. If they do click on it, they’ll get a nice cheery message saying they really shouldn’t have done that, here’s how you can tell how that message was fake. Everyone slips up every now and then.
There’s a layer of technical protection that’s enterprise wide. There’s a baseline of practice of technical detection that can be done at very high speed, but there’s no substitute for an alert user population that are aware of some of the tricks people might try. All these years I’ve been doing this – going back decades – there’s nothing more useful than a person noticing that something looks suspicious. That’s still the pivot of a good security program.
What are the benefits of board portals and how are they typically used?
The crux of so much of what board members do is information sharing. They need to have a safe way to store and share with the right people any sensitive and private data. In the old days, it was very difficult as people would go back and forth through emails, which weren’t encrypted very well. I’ve lost count of the number of times I’ve been called on to cleanse a system that’s been contaminated with highly sensitive information that somebody emailed and didn’t encrypt properly first.
What risks do online solutions present?
Really everything is online today. We’ve done a lot of work in NASDAQ OMX with the cloud and we think we’re leading the way. People ask if their stuff is safe online, and I want to show them that the distinction between inside and outside the network has really dissolved in the last 10 or 15 years.
So the paradigm for so many years of there being an inside and outside of the network has gone. With the business-to-business connections and the very active customer portals in websites, it’s really more a matter of mediating that access and the ability of manipulating that information.
How can companies ensure that board portals, such as NASDAQ OMX Directors Desk, offer optimal security?
The only way to produce a secure portal is to start with security as the motivator. Once you begin the design with security in mind, you can then identify the features that need to be there. The most important is a holistic, integrated approach to security throughout the product. In terms of the way that the information is managed and stored [we ask], have you got real time backups, if there is careful segregation of customer data, is there good testing of the security periodically. We test Directors Desk in multiple ways. Our staff to analyses the security as well as third parties, to try to break through it.
How has the threat landscape evolved over the years?
I’ve been defending enterprises for over 30 years, and when it started you would think about somebody stealing passwords. Then I saw the emergence of automated tools, the rise of computer viruses and worms. For many years the focus was a particular PC virus or worm that would be transmitted through email or floppy disk. For a long time it was a case of whether they could get their software into your enterprise and through the firewall.
Now, with data flowing so easily across these semi-permeable boundaries, I think we’re moving more and more towards automated threats. We get thousands and thousands of probes and attacks every day. The important thing is to build things that can respond, in the way the human immune system responds. The enterprise will always, in some way, be under attack. The question is how do you respond to those attacks.
