Is your bank just a Medieval fortress?

Your bank should be a fortress for your money, a place where it is held as securely as possible.

Your bank should be a fortress for your money, a place where it is held as securely as possible, but this does not mean your savings should be stored away behind the walls of a medieval castle. Yet, why do many financial services only deploy security measures that surround the perimeter of their data centres with wall-like defences – layers of digital barriers that do their best to fend off attackers? It seems that the only strategy available is to defend the bank as though it were under siege, doing the uttermost to hold back the tide of invaders who are looking to hack their way through.

Is comparing modern digital banking infrastructure with the defence mechanism of a medieval fortress an unfair analogy? No, not really. The traditional way to secure a digital platform is to surround it with security barriers: firewalls, intrusion detection, and hardware encryption, etc; concentric layers of security designed to slow down and challenge unauthorised entry.  This is not much different from a castle surrounded by concentric walls and a deep ditch. Like the defences of the medieval period, modern data centre security is not impervious to penetration from the most determined intruder.  Back then, the way to keep safe was to ensure that no one got inside the perimeter. Once they did that, you were pretty much done for. It would not take long for an intruder to cause serious damage once they got inside the walls. The same is true for banking security today.

Looking at the most famous ‘hacks’ into medieval security, the most successful were not from a direct assault on the walls. The most effective way to get inside was to do it sneakily, and the way to do that was to befriend a turncoat or impersonate an ally (i.e. steal their identity), and use this to gain authorised access. There are many examples of this throughout history:  the siege of Corfe Castle by Roundheads during the English Civil War, the fall of the Ming Empire to the Manchu invasion, and the legendary wooden horse at Troy.  In each case the outer defences held strong for a while, but ultimately the perimeter was breached by subterfuge. The same is true for the majority of modern banking infrastructures. Strong defences and early warnings on the outside are great at stopping direct hacking, but the persistent attacker can eventually find a sneaky way in, and once they do, the damage caused is only detected after it has been done. So then, what’s the answer?

If it is no longer adequate to have a reactive strategy to defence, then what alternatives are there? The solution is to introduce proactive policing that monitors activity and raises potential threats behind the walls, 24/7. Systems now need to be ‘attack-aware’, self-conscious of who is using the system at all times: watching apparently authorised users, monitoring what they are doing, and alerting potential threats in real time. It is time to dispense with medieval thinking and make the move to 21st Century self-aware software.

As it is no longer appropriate to simply man the digital banking fortress walls, how will your organisation defend itself from the attacker who infiltrates the system and steals your data from within?