Swift's post-hack guidance needs more details for banks
After the recent slew of attacks on financial institutions around the world through Swift, the co-op that maintains the interbank financial messaging system used for sending international money transfer instructions is trying to find a way to make things right again.
While Swift's new guidelines provide customers a starting off point, they leave the 11,000 banks in Swift’s network to fend for themselves as they implement. The new Swift standards only address the tip of the iceberg, but regardless, are a necessary first step for all financial institutions to implement.
It recently released a new set of security standards, known as the Customer Security Programme (CSP), which it will require banks to adopt by 2018 in an effort to protect against the ongoing attacks on its network. Alain Desausoi, Swift’s CISO, points out “The growing threat of cyberattacks has never been more pressing, Swift customers are responsible for the security of their own environments; but the security of the industry as a whole is a shared responsibility requiring full collaboration within financial services.”
The CSP standards proposed by the Swift co-op focuses on three milestones: detailed security controls to be announced by December 2016, self-reported attestation from banks that they’re tracking toward full integration of all the regulations by Q2 of 2017, and the enforcement of the mandatory requirements starting in Jan. 2018.
Even analysts question if these new guidelines will be enough--Gartner’s Avivah Litan says “the repercussions are weak, at best,” leaving many still unsure about the future of their security. The concern grows further considering the guidelines clearly shirk responsibility by rerouting the blame of fraudulent transfers from a systemic problem to one that involves “proper” use of Swift by banking institutions.
The objectives are to secure the bank environment, know and limit access, and enable threat detection and response capabilities. This is a good start but only that. In order to be ahead of the curve, banks need to implement the following:
Sign up for the Swift Security Notification Service to stay up-to-date on the SWIFTs latest security updates—not to mention Swift's new anti-fraud reporting tools to look for large, unusual, suspicious transactions.
Ensure they are not relying on username and passwords as their only access controls to the system but also use multi-factor authentication that does not rely on SMS one-time passwords. This should be implemented along with identity proofing controls for system admins and anyone with privileged access. Also, NIST Level of Assurance (LOA) guidelines for privileged access accounts should be strictly adhered to.