Building Security, Infosecurity

ING Singapore: Fighting IT Security Risk on All Fronts

By Jianggan Li | 10 February 2009

The race between those who protect business-technology systems and those who try to infiltrate them never ends. A few years ago, the biggest risks were Internet worms; today, spyware, keystroke loggers, and direct attacks against software vulnerabilities are among the greatest risks. “We have to keep changing and adapting with the recent trends,” says Mangaraja Saut Martua, Manager, Information Protection & Business Continuity Management for ING Bank N.V Singapore, a unit of ING Groep N.V.

View photos

Related Categories

• BUILDING SECURITY
• INFOSECURITY

From this Section

• FEATURE

Keeping organisational IT security risks low requires careful planning, diligence, continuous execution of a risk management programme, and the support of every employee. “Security requires that we focus on all of these things,” says Martua.

One of the most important aspects of ING Singapore’s security management program doesn’t involve technology, however; it has everything to do with keeping employees informed, through an ambitious security awareness programme, about the importance of security and the data the firm strives to protect. The programme includes employee newsletters, information provided on the company intranet, and posters in the cafeteria – and, says Martua, the security group sometimes even will hold quiz-based contests in which employees compete for prizes. “The idea is to attract and keep attention, and to reward employees for staying engaged in the programme,” he explains. Reward, indeed: one of the recent prizes included a notebook PC.

However, even such heightened security awareness needs many layers of technological defences in place. Here, ING Singapore invests significant effort to make sure its networks and systems are configured properly and protected by various layers of defences, which include anti-malware/virus applications, intrusion detection and prevention systems, and data leakage applications. “It’s important to make sure that we have variety of solutions, as no single solution will eliminate all risks,” says Martua.

That’s for certain. Analysts estimate that more than 90 per cent of successful attacks target system misconfigurations and unpatched systems, that’s why vulnerability management plays a pivotal role in IT risk reduction. “Vulnerability assessment is an important activity within our security management framework,” Martua says. “It’s how we identify systems that are vulnerable, locate those that need software patches, and then verify that our patches have been installed properly.” For ING Bank Asia, with over 1,000 systems, that’s no small task.

For vulnerability assessments, Martua uses QualysGuard, from Qualys Inc. QualysGuard provides on-demand IT security risk and compliance management – delivered as a service. Qualys’ Software-as-a-Service (SaaS) solutions can be deployed in hours, and provide a continuous view of security and compliance postures. “Qualys is the most accurate we’ve used, and QualysGuard provides us with very precise reports that we can take quick action upon,” he explains. That enables Martua to fight software vulnerabilities more effectively and invest more time improving every area of his security risk management programme.