April 05, 2024
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
By law, the board and C-level officers have the responsibility of executing due diligence and competence in the conduct of company operations and asset securement. They do not want to see gaping holes and exposures in corporate due diligence that are due to disaster recovery plans that fail to address new security threats or the presence of edge technology. This board awareness can give IT the leverage it needs to prioritize its DR plan update so the revised plan can cover a much broader IT footprint than just the central data center -- and by doing so, address new risks. A good way to present to the board and corporate officers a need to invest time and resources into a DR plan update is to present the need for an update along with the risks of not doing one. This can be accomplished by describing various disaster scenarios that have actually happened to other organizations and explain how they could plausibly happen to the company itself. By showing real life situations, the CIO can present the most likely disaster scenarios and consequences and what is needed in terms of plan revisions and investments to minimize those risks.
The threat landscape for HTTP DDoS attacks is constantly expanding, with attackers continually developing new techniques to evade detection. Some common methods include using HTTP GET or POST requests to consume server resources, leveraging malformed HTTP headers to confuse web applications, and employing slowloris attacks that open and maintain multiple connections to the server without closing them, eventually exhausting server resources. These attacks can have devastating effects on businesses, including service disruption, loss of customer trust, and significant financial losses. The need for effective mitigation strategies has never been more critical. ... While Radware’s products offer robust protection against HTTP DDoS attacks, it’s essential for businesses to adopt a proactive security posture. Some best practices include:Regularly Updating Security Systems: Ensure that all security systems are up to date with the latest signatures and detection algorithms. Implementing Access Control Lists (ACLs): Use ACLs to restrict access to resources, minimising the potential impact of an attack.?
When it comes to cybersecurity incident response, companies need to practice, practice, practice. For the board, that could look like ensuring there are not only clear steps in place for what needs to happen should an incident occur but also ensuring that those steps have been practiced ahead of time in some sort of tabletop exercise—similar to how you’d practice exiting the building during a fire drill to know where to go in the event of an emergency. ... While it’s not a requirement, some businesses have decided to add a cybersecurity or technology expert directly to the board to guide them on risk. Businesses can decide if this makes sense for their risk needs depending on their individual risk profiles. Many former CISOs or former cybersecurity leaders are looking to sit on or advise boards, as well as businesses’ own CISOs. ... Directors should also ask themselves if they are budgeting enough for cybersecurity across the organization. They should also work to understand what financial impacts or even regulatory fines they could face if they don't invest in cybersecurity appropriately or report incidents as required. Is your organization investing enough?
领英推荐
At some point institutions will bite the bullet and let GenAI interact with customers or with their live data. Smith believes it will be important to alert customers when they are offered a product or process in which generative artificial intelligence plays a role. Both staff and the public must be clear on this and have confidence in what the bank discloses. Some consumer paranoia exists about GenAI, but Smith says Accenture research indicates that many customers will accept its use with their data — if they feel that they are receiving some benefit in return. Asked for an example, Smith points to a frequent beef about bank customer service — having to explain a situation all over again when trying to work out a problem or address a need and being transferred from one staffer to another. “I shouldn’t have to educate you on what happened two days ago,” says Smith. “I want to walk in and find that you already know.” GenAI can help with this type of situation. One last pointer from Smith concerns the customer experience of using processes controlled by GenAI. She says that some customer-facing GenAI provides inferior look and feel, which can become a friction point.
An often-overlooked example of this growing debt is a failure to actively manage and optimize IP addresses and Domain Name System (DNS) configurations—the very pillars of corporate network communication. Internet service providers (ISPs) of dedicated Internet access (DIA) to businesses would often assign blocks of addresses to customers. If those customers ever cancel or change providers, there's often a clean-up process to recover those resources. Businesses going through reorganizations or mergers and acquisitions may lose track (or may never have had good records) of IP address ranges. Security policies and routing policies may then become outdated, leaving an IP address hijacker a window inside the perimeter security measures. Companies using Network Address Translation (NAT) or Carrier-Grade NAT (CGNAT) to share one IP address among many devices may find that those functions, which edit data packets in flight, create unexpected failure modes. Sometimes, they hide problems, such as when malware or address snooping is happening within the boundary of the NAT.?
“Banking Everywhere means that, from a technology point of view, we have to make sure that any transactions should 100% not result in any problems or risks. It’s not easy. For example, on the Tube in London, how do you deliver 5G to enable transactions? Banking Everywhere is easy to say, but hard to do.” Cao highlights the high availability and easy migration of GaussDB. He says after GaussDB was deployed in one of the biggest banks in China, the recovery time objective (RTO) was slashed to 120 seconds – a world-leading level. He says Huawei is working on reducing this to just 30 seconds.?... “Some banks say we are in the AI era, some say the intelligent era, some say the open banking era, but a lot of banks still struggle working with a traditional model. So today it is like a multi-generational industry,” he says. “On the one hand, exciting things are coming, like Gen AI, and we have to be prepared. We have to be realistic to see what challenges we face today. If a bank is not resilient enough, it’s very hard to embrace Gen AI, or any intelligent opportunities.