The real reason for core systems refreshment

I’ve been advocating for some time that banks should refresh core systems.  A complete renewal of the back-end.  Everyone tells me I’m an idiot for saying so.  It’s impossible, stupid, naïve and impractical.  OK, I hear that.  I know it’s not going to be easy but, if a bank has systems built before Mark Zuckerberg was born, how can they expect to be fit for the real-time, free world of the mobile internet?

But here’s the thing: I don’t advocate the renewal purely to be fit to market to the 21st century consumer using contextual data analytics, although that’s useful and virtually impossible when you have fragmented back-end systems. Equally, I don’t say that you need to do this purely to enable consistency of access across digital media, although that’s a great improvement over the inconsistency created by having multiple channels of legacy.  In addition, I don’t say this just because old systems typically work in batch overnight updates that cannot keep up with real-time needs.  Finally, I don’t say this because old systems are regularly having glitches, although they are (a selection of a few this year at the end of this blog entry).

No.  Replacing core systems gives you a lot of benefits including:

• Real-time provision of service
• Consistency of data
• Ability to leverage deep data analytics
• Single view of the customer
• Enterprise information leverage

But perhaps the greatest benefit of consolidating into a single service is risk management.  This is evidenced by a fascinating article in the Harvard Business Review this month, talking about lessons in cybersecurity from the US Department of Defence.  The focus of the article is the risk factors of cyberattack which, as you can imagine, the Pentagon takes fairly seriously.  The aim is to provide a few lessons for business to learn, and here are a few headlines:

From September 2014 to June 2015, the US military repelled more than 30 million known malicious attacks at the boundaries of its networks. Of the small number that did get through, less than 0.1% compromised systems in any way.

In a 2014 study by the Ponemon Institute, the average annualized cost of cybercrime incurred by a benchmark sample of U.S. companies was $12.7 million, a 96% increase in five years. Meanwhile, the time it took to resolve a cyberattack had increased by 33%, on average, and the average cost incurred to resolve a single attack totalled more than $1.6 million.

Over the past three years intrusions into critical U.S. infrastructure—systems that control operations in the chemical, electrical, water, and transport sectors—have increased 17-fold.

The U.S. Department of Defence experiences 41 million scans, probes, and attacks a month.

The annual global cost of cybercrime against consumers is $113 billion [2013 Norton Report, Symantec]

The Department of Defence is consolidating 15,000 networks into a single unified architecture.

That last part is the critical part, and maybe the key paragraph in the article is what the Department of Defence is doing to overcome the issues of cyberattack:

“Back in 2009, the Defense Department comprised 7 million devices operating across 15,000 network enclaves, all run by different system administrators, who configured their parts of the network to different standards. It was not a recipe for security or efficiency. It brought network operations across the entire .mil domain under the authority of one four-star officer. The department simultaneously began to consolidate its sprawling networks, collapsing the 15,000 systems into a single unified architecture called the Joint Information Environment. What once was a jumble of more than 100,000 network administrators with different chains of command, standards, and protocols is evolving toward a tightly run cadre of elite network defenders.”

And, although the U.S. Cyber Command has been upgrading the military’s technology to quickly detect anomalies, “one key lesson of the military’s experience is that while technical upgrades are important, minimizing human error is even more crucial.”

That is why the Pentagon treats security as a culture challenge, rather than a technological challenge.  At the heart of that culture are six interconnected principles:

1. Integrity.
2. Depth of knowledge.
3. Procedural compliance.
4. Forceful backup.
5. A questioning attitude.
6. Formality in communication.

It’s a useful insight into the way in which the military are approaching cyberdefence and they key is to ensure that not just that the technologies are up-to-date but, more importantly, that the people are trained to beware.

Further reading:

• Cybersecurity’s Human Factor: Lessons from the Pentagon
• The Danger from Within
• See Your Company Through the Eyes of a Hacker

Oh, and a few glitches in the UK since June 1 2015:

• Nationwide online banking down: Problems affect millions of ... (June)
• RBS sorry for IT glitch but makes no promises for future ... (June)
• BNY Mellon close to resolving software glitch - FT.com (July)
• HSBC Glitch: Delayed Payments Now Processed - Sky News (August)
• Nationwide customers hit by second glitch in two months, as ... (August)
• NatWest and RBS customers vent anger after latest banking glitch (September)
• Barclays Bank customers hit by computer problem (September)

There’s also a down detector, that reports issues with websites.  Here’s a summary for our five major banks for 2015:

• Barclays (47 reports)
• HSBC (25 reports)
• Lloyds Bank (24 reports)
• Natwest (not including RBS) (39 reports)
• Santander (16 reports)