When the enemy is invisible

 

​What is the best way to protect ourselves against unknown enemies while still ensuring that five billion transactions a year – or close to 1,000 per second – are completed efficiently, and, above all, without error? Part of the answer is ongoing investment in the latest security technology; another aspect is recognising that human beings are the weakest link in the chain.

The crucial question of how to protect ourselves against unknown enemies is top of mind every single day at the Information Security department at Nets, and there is no straightforward or clear answer to it.

The question gets right to the heart and core of Nets' business. On the one hand, we earn our keep by handling the large amounts of data required to complete financial transactions between millions of accounts every day in a user-friendly and efficient manner. On the other hand, it is a requirement that the continuous handling of information on such a large scale is done responsibly to avoid the risk of the data getting into the wrong hands and being copied, stolen, modified, or compromised in any other way.

Confidence in the security of systems is vital. But so is accessibility of these systems. Unfortunately, we cannot content ourselves with building a high wall in order to maximise the protection of our data. If we did that, the data would be isolated, but in order for information to be useful and of value, it must be accessible and usable.

IT security has always been on top of the corporate agenda, and over the years Nets has initiated a number of measures in relation to this fundamental balancing act by expanding information security in a number of areas while not compromising on user experience.

 

Invisible enemies

An example is that we have increased the number of employees in our Information Security department, so we now have 35 specialist staff with extensive knowledge and experience. As well as taking care of ongoing operational security tasks spanning the markets and countries in which Nets is active, the department's Threat Intelligence team also keeps a vigilant eye on online activity that could potentially pose a threat to Nets. Whether it is a lone hacker in a student hall of residence somewhere in Europe, or a far more organised criminal network with substantial resources on the opposite side of the globe, we must constantly assess the risk facing us by understanding who is threatening us. What are their intentions, capacity and methods?

This is essentially a never-ending task, and we must remain focused on it at all times. The task would be easier if we could keep an eye on these threats from a high observation tower, but that is not really how things work. As a general rule, the enemies and threats we face are often invisible in the sense that we do not know all of them – their locations, the methods they use or where they will strike next. Obviously, we have to be highly proactive to keep up with developments in the threat landscape in order to be able to protect Nets as effectively as possible. That is the reality we have to grapple with and for which we have to prepare ourselves as well as possible.

 

An effective shield against DDoS attacks

We are constantly expanding our efforts to enable us to respond quickly and in a timely manner when new threats appear. At the same time, we have launched activities designed to counter the more specific, known security challenges. This applies, for example, to DDoS (Distributed Denial of Service) attacks, and we now have an effective "DDoS shield" which comprises several layers of security and provides robust protection against attacks.


"The task would be easier if we could keep an eye on these threats from a high observation tower, but that is not really how things work," says Shehzad Ahmad, Head of Information Security, Denmark at Nets about the IT threat landscape. 

 

The human factor

In recent years, there has been a strong focus on developing technological solutions, e.g. to detect malicious code, but in order to effectively raise the level of security, it is absolutely vital to focus too, on our employees' awareness of data security as an integrated part of the culture and day-to-day operations.

It is absolutely essential to invest in technological security solutions, but at the end of the day, human beings are the weakest link in the chain, so we must constantly work to ensure that employees remain security-conscious and that they know what to do if they encounter a security issue.