Two major misconceptions are putting financial institutions at risk to suffer extreme losses. The first: the mainframe is outdated, legacy technology that needs to be replaced with a cloud-based solution. The second: the mainframe is inherently secure, so it doesn’t require attention.
Both beliefs – held by auditors and CIOs alike – are far from true. For one, the mainframe is still the backbone of the international financial system, hosting critical core applications for 92 of the world’s top 100 banks. These systems also process 87 per cent of credit card transactions and 29 billion ATM transactions each year.
Even amidst our increasingly digital world, financial services have kept the mainframe in play for its proven processing power and high degree of security. But despite its proven track-record, the mainframe is not a castle with a moat. In fact, according to BMC, 77 per cent of financial services firms recently reported experience with a breach.
While the mainframe remains the most cost-effective place for a financial firms’ most valuable data, it still suffers from code-based vulnerabilities – code that has been compromised to allow a program to bypass security controls. As a result, hackers can expose tens of thousands of users’ personally identifiable information (PII) and data that chronicles the billions of transactions processed on the mainframe.
These breaches can devastate organizations, requiring money for damages, legal fees and reputation management.
- Capital One paid $80 million to settle federal charges after more than 100 million credit card applications were exposed.
- Equifax paid around $1.4 billion after losing data of 146 million customers.
What’s blocking many financial institutions from avoiding these types of breaches? Many IT-decision makers lack the mainframe knowledge needed to inform security strategy, while other individuals lack the level of availability required to protect it. Employees with a background in managing distributed systems are overwhelmed when asked to manage the complex enterprise security managers on the mainframe. Even many auditors and pen testers aren’t equipped with the knowledge to exploit even simple vulnerabilities on the mainframe.
All it takes is one code-based vulnerability to escalate privileges and take control of applications, or even the entire system. Unfortunately, for financial institutions, vulnerabilities can exist anywhere along the payment card processing chain.
As a result, the Payment Card Industry’s (PCI) Data Security Standard (DSS) requires all businesses that process credit card payments to abide by a strict set of guidelines to ensure data security. Unfortunately, these requirements are challenging to meet and few organizations have the resources to dedicate to meet these requirements, especially when it comes to the mainframe.
Financial services firms need to accept these barriers in order to avoid catastrophe. By taking the following actions, organizations can develop a cybersecurity strategy that delivers on the mainframe’s reputation and solidifies its role as the powerhouse behind our financial system.
Gain key stakeholder buy-in
Mainframe security is a corporate issue. But you can’t protect what you don’t understand. Risk managers need to provide a greater understanding of the threats at hand, sharing stories of other organizations that did not take the right steps and suffered. At times organizations need to seek counsel from mainframe experts who can illustrate the mainframe’s conflicting value and flaws.
Constantly scan for software vulnerabilities on ALL of your platforms
The vulnerability landscape is changing every minute, as each change to the IT environment will open a new door. To close these gaps before they’re manipulated, organizations need to incorporate mainframe scanning into their reoccurring security posture. Manual scans are impractical and expensive. But an automated tool can keep a close watch on the mainframe, testing and monitoring running code to provide teams with the insight they need to quickly apply patches.
Actively work to meet compliance
Organizations need to maintain PCI compliance, regardless of their resources. On the upside, PCI does provide guidance and incentive to locking-down the mainframe if done right and managed year-round. Scrambling to get in shape right before audits does not pack the same punch. Getting the right stakeholders in the room with experts who know the technology and the regulations can set organizations on the right path.
Those that perpetuate common mainframe myths, could find themselves waking up to a surprise, nightmarish breach with potential to wreck the business. Educating organizations from the top-down sparks the urgency needed to avoid such disasters. Fostering a commitment to vigilance and compliance not only minimizes today’s headaches, but also minimizes potential costs in the future to ensure business longevity.
—
About Ray Overby
Ray Overby is a cofounder and chief technology officer at Key Resources, Inc., (KRI Security), a software and security services firm specializing in mainframe security. An expert in mainframe security, risk, and compliance for IBM Z System environments, Ray heads the KRI technical team. Drawing on more than 30 years of experience with z Systems in both hands-on technical development and strategic roles, Ray’s multidimensional and solutions-driven approach assures he is highly valued by clients and third-party technology partners.
Contributors
