Ravi Dhungle
Two recent data security incidents in Nepal - the breach of Nepal Electronic Payment Systems (NEPS) and the furor of the public against the teleconferencing of Prime Minister Oli from a hospital in Singapore has reinvigorated the debate on cyber security and national security. While these two incidents are completely different in nature, they share commonalities in current state and challenges ahead in cyber security vis-a-vis national security.
Securing data should be a topmost priority of any enterprise. Cyber security is a threat not only to the Banking and Financial Institutions (BFIs) in Nepal but also of grave concern to national security. Irrespective of the industry verticals and geography, securing the data in the Internet is a Herculean task. Internet is a collection of public networks of computers and anyone can knock on any part of the network. According to Ponemon Institute’s recently published annual survey the global average cost of a data breach is USD 3.92 millions. American Banker citing the Deloitte report estimates that banks and other financial firms spend as much as USD 3,000 per employee to defend computer networks from cybercriminals in the western world. Cyber security makes headlines all over the world.
Cyber security is a perennial process. Most of the organizations are reactive in nature in terms of cyber security and the lapse in NEPS is no different. BFIs in Nepal need to build strategies that are actionable and far reaching.
Short term strategy and actionable items
Cyber risk assessment of governance, systems, and processes are very important to identify the gaps in cyber security. Engaging security professionals, who have in-depth knowledge on global regulatory compliance, governance, cyber security frameworks, and security architecture is the first step. All security artifacts, findings, reports, and processes should be secured and encrypted. An assessment like this is a starting point to develop multiyear cyber security programs.
2. Long term strategy and plans
Strategy, governance, and policies - Cyber security should be aligned with organizational strategy and business processes. Executive level committees should be formed to drive and support multiyear cyber security programs. Policies, such as acceptable use policies, employee privacy statements, incident response, and communication, plans should be developed. Governance teams should sign off on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).
Regulatory compliance - Regulations, like the European Union Global Data Protection Regulations (GDPR), expect privacy by design. Industry regulations, like the Payment Card Industry Data Security Standard (PCIDSS), ensures that cardholder data is protected and secured. Banks should identify the jurisdiction of data and classify data as well as assets to comply with local and global regulations.
Frameworks - Frameworks map administrative and technical controls of cybersecurity. Frameworks, like the ISO 27001/27002, are proprietary and quite costly to implement, whereas National Institute of Science and Technology (NIST) and Center for Internet Security (CIS) Top 20 are freely available frameworks. BFI should adopt one of the frameworks as a part of cyber security programs.
People, process, and technologies - BFIs should prioritize investments on acquiring, training, and retaining cyber security talents. Banks should leverage national and international consultants to build and empower their cyber security teams. Training and access should be provided on the basis of job descriptions and principle of least privilege. Policies and processes should be reviewed periodically. Security solutions such as threat intel, identity and access management, host-based security, perimeter security, security testing, certificate management, multi factor authentication, security event and information management, intrusion detection system, email security, etc. should be implemented as a layered security and a zero trust model.
Dry security drill - Organization should periodically do dry-drill to check the cyber security preparedness. This will ensure that the incidence response plans, communication plans, and cyber security processes are working as expected.
Financial Services - Information Sharing and Analysis Center (FS-ISAC) - BFIs should work with the government, Nepal Rastra Bank, law enforcement agencies, and Nepal Bankers Association to develop FS-ISAC - like the one in the United States. The industry specific threat sharing platform helps to mitigate cyber security threats together by sharing Indicators of Compromise (IoC). Nepal’s BFIs should leverage basic memberships of FS-ISAC and threat intel service providers like Virustotal.
Mergers, acquisitions, and risk assessment - BFI should do third party cyber risk assessment when there are mergers and acquisitions. The banks should clearly identify the threats associated with mergers. Risk assessment of existing software products and new products should be done during the merger process.
Insider’s threat program and intellectual property - More than 60% of data breaches and exfiltration are caused by the employees. Sometimes it is accidental but more often it’s the rogue employees. Background checks and role-based access controls minimize the insider’s threat. The organization should also be respectful to employee privacy and protect Personal Identifiable Information (PII) of employees. Banks should protect the intellectual property. Data protection services, such as Data Loss Prevention (DLP) systems and mobile device management (MDM), help to mitigate theft of intellectual property.
Vulnerability management and secure development lifecycle - Banks should invest in vulnerability management programs and processes. Software systems are composed of millions of lines of code and hundreds of functions. If the banks have internal development teams, process should be developed for static scanning, code reviewing, and identifying top ten vulnerabilities by Open Web Application Security Project (OWASP). Bug bounty programs should be developed to engage external security researchers.
Cyber Insurance - The banks should buy cyber insurance to transfer the monetary risks to the insurance in the case of a breach. Cyber security policy offered by insurance largely depends upon the investment on cyber security programs.
Corporate Communications - Communication during security incidents is important in order to build trust. Banks should have a dedicated person to communicate cyber incidents and have escalation processes in place to inform law enforcement agencies. Cyber security experts should refrain from talking about knitty gritty of incidents until and unless the security root cause analysis and the preliminary investigations are complete to ensure the integrity of the investigations.
Cyber security incidents in Nepal have provided an opportunity to develop policies and build secure systems. The current incidents should be taken as a lesson learned. All the stakeholders that include law enforcement agencies, Nepal Government line agencies, NRB and cyber security experts should work together to formulate long term policies on privacy and cyber security in order to enable digital transformation of the country.
