Banks’ Software Failure Puts Spotlight on Security and Continuity

It was hard to escape a recent software failure that left customers of several banks unable to view or make transactions online.

The fact that so many people and businesses were affected is testament to how essential electronic banking has become in everyday life.

However, as a risk management consultancy, we see two key areas where disruption could have been minimised.

THE BANKS
Initial reports suggested that the system was affected by a software update which was subsequently corrupted. While we can’t be sure what measures were in place or how effective they had been, we can discuss some key areas of risk management in software development.

Change management is an important topic in software development, and while there are various developmental environments that allow engineers to ‘roll back’, a formal procedure should be in place which identifies the specification of any change, the reason for the change and any dependancies that may need to be considered. This is also a good time to communicate the changes to relevant staff.

ISO 27001 (Information Security) also has many controls in Annex A, specifically targeted at development of software, for example A12.4.2 ‘Protection of System Test Data’ which requires an data used in testing to be protected from corruption or loss.

An Information Security Management System to the requirements of ISO 27001 won’t necessarily prevent a corrupt software patch, but it should reduce the risk of it happening and provide a frame work for corrective action after the event.

THE BUSINESSES
Everything seems unlikely until the first time it happens.

A similar realisation happened during the London riots of 2011. We have always advised clients to consider ‘Civil Unrest’ as part of their ISO 27001(Information Security) risk assessments, however until the summer of 2011, it was always met with an element of amusement.

This is another case, where businesses and individuals may have under estimated the likelihood of a disruption to their electronic banking facilities.

The measures to mitigate this risk and continue trading may vary depending on the business, but by considering the event before it happens you can plan alternatives for example:
– prepare a cash book.
– prepare an expenditure log.
– design specific reports on your in-house accounting software.
– have contact details for your bankers readily available.

While this event doesn’t lead to a ‘total loss’, there is a clear case for creating a business continuity plan to cover such events.

ISO 22301 Business Continuity Management has been released to provide the family management system framework to the business continuity sphere, more details.

In summary, unfortunately events do happen, but being prepared makes all the difference to your recovery time!

Sources
ISO 27001 – https://www.assentriskmanagement.co.uk/iso27001
ISO 22301 – https://www.assentriskmanagement.co.uk/iso22301
BBC News, 2012, RBS boss blames software upgrade for account problems, http://www.bbc.co.uk/news/business-18575932

entry120628-125003