Source: Finance Derivative
By Sanjay Tailor, Operations Director, Camwood
Compliance is an exercise in business continuity. It is a clear statement to customers that they can trust their data and transactions with you, and that your business is resilient in the face of an attack. But becoming compliant and staying in that state is a never-ending exercise in diligence, not least because the IT estate is a constantly shifting landscape.
A recent report from Sophos indicates that 46% of financial services firms had suffered a significant financial impact as a result of ransomware over the past 12 months, with 40% of these attacks arising from vulnerability exploits. But the fact that financial services is one of the most targeted sector by cyber criminals shouldn’t be a surprise to anyone. The data in the possession of firms in this sector are an incredibly valuable resource for criminals.
Because of this, firms are required to operate under strict regulatory requirements as defined by GDPR, and in the UK the standard maximum fine for non-compliance can reach £8.7 mln or 2% of annual worldwide turnover, providing clear motivation for ensuring that compliance remains a top priority. Along with GDPR regulations, there is an array of considerations that companies must follow, including the UK government’s Cyber Essentials and the ISO/IEC 27001 standard.
The problem is, in all firms, there are sanctioned IT applications, and then there’s what is often termed Shadow IT – the applications managed by the business rather than the IT team. Gaining visibility of all the tools and software that the company uses is crucial to remaining compliant, not just IT’s applications. This is because software and applications are not static and constantly require updating. Failing to update regularly and falling behind in the update cycle imposes additional risks by exposing the organisation to published vulnerabilities and exploits. And given that an estimated 56% of all applications are owned by the business rather than IT, and 40% of all application spend falls into the category of Shadow IT, then getting this update cycle under control is essential.
Putting applications first
One way to go about staying compliant is to view the issue through the lens of applications. Often relegated under more global infrastructure considerations, applications are at the centre of all operating systems. Whether they run on-premise, hybrid, cloud, mainframe or locally delivered for end-user experience and customer satisfaction – applications are the lifeblood of any organisation.
Ensuring that applications are compliant means applying the latest security patches and bug fixes as and when they are issued by the vendor, in the form of software updates. These patches often fix well-known issues, sometimes zero-day exploits, discovered by security researchers that represent potential open doors into the company. Updating software regularly minimises the risk of data breaches and strengthens a company’s overall security posture.
But when the ownership of so many applications are spread across multiple departments, providing a coordinated and efficient response to updates is difficult. To mitigate this, visibility across the entire application landscape is a requirement, which can be delivered via an audit. Looking at the ‘Windows 10 End of Life’ which comes into effect in October 2025 as an example, there is a clear 3-year window to understand the application estate, combability position, hardware compliance, application ownership within the business, application rationalisation possibilities, evergreen orchestration and management and the list goes on. While this sounds like a long time, not getting on top if it before the window closes imposes additional risks to a business. But all of this is all of this is necessary to achieve compliance, as leaving updates to individual users across the enterprise is prone to risk.
How to stay on top of updates
And while there are risks to not updating software, there are also risks inherent in the update process itself. Most companies work with specific technology stacks, and not all elements of the stack will be updated at the same time. Therefore, the possibility exists that when the update goes through, a compatibility problem will arise between elements. This is why it’s useful to have a test environment prepared for running simulations of the latest software builds, to explore how they work under various conditions.
There might also be problems with the out of the box configuration of an application after an update, particularly if the settings go back to the default. Naturally, with data at the focus of most company operations, risking any data loss is unthinkable, and so a proper back up must be taken before any updates are made. All of these issues are time-consuming, and the need for speed has forced IT departments to restructure and assess their way around new methodologies. Agile, DevOps, or a combination of both are commonplace as businesses accelerate software development and releases. This is particularly true where continuous integration and continuous deployment are in operation.
Leveraging automation
Automated application packaging is a natural extension of this principle, simplifying the process of preparing software for deployment. By reducing the amount of time and resources required to prepare, compile and deploy new updates, development teams can devote more of each release cycle to developing the company’s core products and services.
Regular software updates should be part of any overall data protection and vulnerability management strategy. It’s important to stay informed about any regulatory changes, security best practices, and privacy standards that may impact software applications. Given that so many applications need to be discovered in the business before this process can be undertaken in earnest, selecting a service provider to run this side of the operation helps to take the strain off the IT team. It also provides visibility and control over the applications that really power a business, leaving the company to focus on its primary business and letting someone else get on with the routine work of compliance.
