“The main impact and opportunity created by the regulation comes down to the introduction of risk analysis at the base of every project and new treatment. The opportunity is that we can now think about security before we start projects, and avoid only thinking about security when things go wrong.”
Insightive.tv: Is the shift to a digital business model creating new levels of risk?
Laura: The short answer is yes. We are working on these sorts of transformation projects every day, and these are constantly changing the approach to security and risk. The business now stores more information and data. This creates risk and essentially requires our strategy to coordinate the business model with our security protocols.
Insightive.tv: Do you perceive security as an enabler of these projects, or a necessary cost?
Laura: I think it depends on the culture of the company. At Banca IFIS, I have seen a growth in the involvement of security in projects — in particular with digital projects. A few years ago we started a program of awareness regarding security information for employees. Our information security team has also become involved in strategic business decisions. For this reason, I think that Banca IFIS is actually upstream from a lot of others within the industry.
The Return on Investment for security platform, however, is difficult to quantify. There is generally not an immediate return involved in the implementation of new security systems. Security has a tendency to only become visible when there is a problem. But we take the attitude that security is the baseline of the project, and we understand that the return on security investments is always in the long term — not immediate.
So we have a solution where customers can upload documents, we have a website where people can apply online. But part of the dialogue, obviously, is dialogue — we want to be able to talk to our customers face to face, where they can actually explain and bring their business to life beyond dry numbers that you can input online.
We take a much more holistic approach that requires a broader set of channels, and we use these different channels for different parts of the process.
Insightive.tv: Have the new regulatory changes laid out in the GDPR had any impact on the business thinking regarding digital transformation?
Laura: The biggest impact of the new regulation is that it has introduced new steps into project development, and required addressing questions regarding privacy by design and privacy by default. The regulation has changed the business thinking because they have required us to perform a risk analysis before starting any new projects. Because we have to start with risk analysis, we have to also make a risk analysis about the solution that we want to adopt within the digital transformation project.
I think that these have been good changes. Currently, Italian and European law are often seen as only legal issues, and not as opportunities. But the GDPR, in overview of privacy worldwide, creates opportunities for easier compliance. This is important to Banca IFIS because we are involved in many projects that involve worldwide transfers of data. Every day we use IT contractors, and the GDPR is aimed at protecting this kind of activity and transfer of information.
The main impact and opportunity created by the regulation comes down to the introduction of risk analysis at the base of every project and new treatment. The opportunity is that we can now think about security before we start projects, and avoid only thinking about security when things go wrong. This risk analysis gives us the opportunity to prevent issues from arising at all. This creates a direct connection between data protection, privacy and cybersecurity.
Insightive.tv: How important is GDPR compared to other regulations?
Laura: For Banca IFIS it is very important. But we are a bank and must comply with a lot of regulations. The standardizing of some of these privacy regulations through the GDPR is beneficial and is certainly a standard that we are working to obtain. The GDPR is also a reason we are paying even more attention to these aspects and have created a department that is called Privacy and Security Management. We consider this very important because it allows the customer to trust Banca IFIS with their information.
Insightive.tv: Have your digital transformation projects impacted how you manage your accounts?
Laura: The main change caused by digital transformation has been that we also now need to involve supplier and IT contractors that are worldwide corporations. The privileged accounts used by these types of companies are larger and wider reaching in scope than the privileged accounts used internally. But the only way to manage this situation and the involvement of these digital suppliers is by the contractor. So we have a strict and close relationships to protect our projects and data. For internal digital projects, our approach is just an extension of the process we use to monitor all our internal access to privileged information.
Insightive.tv: Will GDPR impact how you manage passwords?
Laura: The password policies for IT systems, standard users, and privileged accounts depend on specific local regulation and the results of the risk assessments. So, in both digital transformation and other projects, we have to pay attention to the risk before starting the project. Like any solution, we have to base our password policy on the basis of the risk assessment.
Insightive.tv: If you think about your different types of privileged accounts, where are your biggest security concerns?
Laura: If by privileged account we mean the user, and not necessarily administration, with special power to access that information, I think that they are the biggest issue for security because they have a particular power over the type of activity they carry out. For example, the risk regarding the integrity of the data could be compromised accidentally by activity carried out by the owner of the privileged accounts. This is an issue that we always consider in our risk analysis.
The other big issue is people that use clients and customer records. The human is always the weakest link in the security chain. Wherever people have access to privileged information, it is a security concern. So the same goes for all office based users of privileged information. Remote staff are an even larger concern because all aspects involved in the risk analysis are harder to clearly determine.
Our relationships with business partners within the supply chain, contractors and consultants are a slightly lower priority simply because they have their own systems. But it is still something we take very seriously, and we always make an analysis of a vendor’s internal security applications.
In general, we need to take appropriate technical and organizational measures. For example, the company has begun tracking the operations undertaken by IT people that have a privileged account. This measure is actually required by Italian privacy regulations.
Insightive.tv: Do you regularly carry out audits for these kinds of infractions, and what is the hardest aspect of this enforcement?
Laura: Yes, we audit the activity of the IT systems. Privileged accounts are used by our outside suppliers and internally by the IT workers that develop our IT systems, and others that have a particular need for sensitive data. So it would be hard to actually say how many privileged accounts we have at one time. But the main aspects that we have to take into account for all of these accounts are the access levels, the correct definition and assignment of the access and the monitoring of activity.
The main issue is the ability to control and monitor them. It is not always easy to not only track but to control the activity. The IT user performs many activities during the day, on the server and data, so the need is to have a solution that can help to correlate this information and monitor the individual activity. So I think that the privileged account is the highest risk in a company.
Laura Quaroni is heading up the Privacy and Security Management department at Banca IFIS. We spoke with Laura to get an understanding of how cybersecurity plays into the business model of this Italian financier.
Banca IFIS was founded in 1983. Since 1999 the bank has significantly expanded in Italy and Eastern Europe. Banca IFIS has since focused its growth on factoring and increased internationalizing. The bank launched its first retail product in 2008 and has continually grown and expanded its services throughout the 21st century.
Part of THE GDPR AND THE GLOBAL DATA PROTECTION HORIZON series