INDUSTRY: Financial Services
BUSINESS: Banking, investments, life insurance, and retirement services
SCOPE & SIZE: ING Bank Singapore (A unit of ING Groep N.V.) International, €15+ billion market value (2009), 130,000+ employees
BUSINESS CHALLENGE: Cost-effectively achieve ongoing IT security and regulatory compliance risk mitigation for its own network and new company acquisitions.
OPERATIONAL HURDLE: Tight IT security team needed more security insight and manageability than could be provided by open source tools
The race between those who protect business-technology systems and those who try to infiltrate them never ends. A few years ago, the biggest risks were Internet worms; today, spyware, keystroke loggers, and direct attacks against software vulnerabilities are among the greatest risks. "We have to keep changing and adapting with the recent trends," says Mangaraja Saut Martua, manager, information protection and business continuity management for ING Bank N.V. Singapore, a unit of ING Groep N.V.
Keeping organizational IT security risks low requires careful planning, diligence, continuous execution of a risk management program, and the support of every employee. "Security requires that we focus on all of these things," says Martua.
With that in mind, it should come as no surprise that one of the most important aspects of ING Singapore's security management program doesn't involve only technology. Instead, it has everything to do with keeping every employee informed, through an ambitious security awareness program, about the importance of securing the data the financial services firm strives to protect. The program includes employee newsletters, information provided on the company intranet, and posters in the cafeteria – and, says Martua, the security group sometimes even will hold quiz-based contests in which employees compete for prizes. "The idea is to attract and keep attention, and to reward employees for staying engaged in the program," he explains. Reward, indeed: one of the recent prizes included a notebook PC.
Why ING Singapore chose Qualys:
However, even such heightened security awareness needs many layers of technological controls and defenses in place. Here, ING Singapore invests significant effort to make sure its networks and systems are configured properly and protected by various layers of defenses, which include anti-virus applications, intrusion detection and prevention systems, and daa leakage applications. "It's important to make sure that we have a variety of solutions in place, as no single solution will eliminate all risks," explains Martua. "It takes various techniques to do this."
That's for certain. And with analysts estimating that more than 90 percent of successful attacks target system misconfigurations and unpatched systems, vulnerability management and security review play a pivotal role for any organization that seeks to reduce IT risk. "Vulnerability assessment is an important activity within our security management framework," Martua says. "It's how we identify systems that are vulnerable, locate those that need software patches, and then verify that our patches have been installed properly." For ING Bank Asia, with more than 1,000 systems, that's no small task.
For vulnerability assessments, Martua uses Qualys. "Qualys provides us with very precise reports on which we can act quickly," he explains.
“Qualys is the most accurate [vulnerability assessment solution] we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates.”
Manager, Information Protection and Business Continuity Management, ING Bank Singapore
Qualys provides on-demand IT security risk and compliance management - delivered as a service. Qualys’ Software-as-a-Service (SaaS) solutions can be deployed in hours anywhere in the world, and provide a continuous view of security and compliance postures. "Qualys is the most accurate we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates," he explains. That enables Martua not only to remedy software vulnerabilities more effectively, but also to invest more time improving every other area of his security risk management program.