Banks are better prepared to deal with ‘WannaCry’-like threats as they have stronger firewalls in place as compared to non-financial entities, says Mrutyunjay Mahapatra, deputy managing director and chief information officer at State Bank of India. Mahapatra tells Shritama Bose that there is an ongoing practice that whenever there is some kind of threat, CERT-In (Indian Computer Emergency Response Team) and other emergency response teams keep on issuing advisories. Edited excerpts:
What percentage of your systems would be running on Microsoft products?
We have a large number of servers which run on Microsoft, because Microsoft has servers, end-point utilities, basic applications, etc. So, it is very difficult to quantify how much of them are touching a Microsoft project or Microsoft product or application, but suffice to say that we are quite alert and there are quite a large number of Windows applications running in some of the critical areas such as ATMs and our database, etc. So we have heightened the alert. Are most of these on XP or on higher versions of the Windows operating system? There are a few XPs, which are in the process of replacement, but a majority of them are higher versions.
To what extent are banks prepared to deal with such malicious elements?
You would have seen that none of the banking system softwares anywhere in the world have been impacted. That’s because security levels and firewalls of the banking systems are generally much higher as compared to a healthcare system or registry or something like that. The reason is simple — banks deal with money.
Generally, our systems are always on high alert and our firewalls are always more robust than any other industry, as we deal with customers’ financial data and financial transactions. Also, most of our applications run on closed-loop systems, that is, in a proprietary network compared to a public network, as is the case with many web-facing networks like, let us say, a hospital system or a government system, where citizens are consuming their services. As compared to that, our core banking system or the ATM system is closed-loop. The network is owned by us, end-points are owned by us and back-end servers are owned by us. So to that extent, we are protected.
What kind of measures have you taken in the wake of this latest alert?
We are not taking it easy because we also have a few web-facing (utilities) such as internet banking and mobile banking. We are keeping heightened alert and we are completing all the patching, as we call it, the version upgrades of both Microsoft-related as well as anti-malware-related anti-virus solutions. That is an ongoing process, but we are again revalidating those.