Banking has changed vastly over the past few years, as new technologies emerge to change the way we transact. Non-traditional methods of transacting, such as the blockchain and mobile banking, have emerged, causing an influx of data from multiple sources. Data is no longer generated purely from ATMs or on site, but through online banking, ecommerce platforms, mobile applications – both banking and for mobile purchasing, and non-banking platforms such as the blockchain. The introduction of these omni-channel platforms has led to a need for broader, more effective security measures to be put in place.
The likes of ransomware and malware have been causing quite a stir on a global scale in the past few months, however the banking sector been besieged by all manner of cybercrime since the dawn of digital banking. As the business of banking is centred around the handling and transacting of money on various scales, banks and their customers are often considered soft targets for cybercriminals looking to make a quick buck. However, while cybercrime can be massively expensive for banks, their true Achilles heel is their reputation, the loss of which can extend the cost of cybercrime even more, as banks lose existing customers, potential business and even sometimes having to shut their doors.
Cybercrime, in line with technology, continues to evolve, taking new forms and finding new ways to infiltrate financial enterprises, and banks are struggling to maintain pace with this evolution. This is largely due to the fact that there are so many new methods of banking along with the strong shift from traditional banking to mobile banking.
Financial theft, fraud, identity theft, theft of intellectual property (IP) and general damage to the business processes, critical infrastructure and IT systems are but a few of the ways in which banks are affected by cybercrime - on a daily basis.
With banks typically absorbing the financial impact of losses caused by cybercrime, whether to themselves or their customers, there is a huge focus on ensuring they are protected and ready for anything that enterprising hackers can throw at them.
The evolution of banking cybercrime
As banking has become more digital, moving from traditional banking methods to Internet banking, telephone banking and mobile banking, breaches of data and confidential information have risen. With every new avenue of banking that is explored, another door is opened for potential access by a cybercriminal.
With so many mobile applications available for transacting, the data generated no longer belongs solely to the bank. Third parties have access to banking data, which compounds the risk. Banks are able to control only a portion of the security of transactions today, and much of the onus is on the third party. The security of unknown devices, such as mobile smart phones, cannot be established, so application developers and banks need to ensure that security measures are built into these applications themselves, in order to protect their customers.
Cross channel and cross border payments and transfers are often intercepted by hackers who lay claim to the funds being transferred. Additionally, the rise of ecommerce has introduced the need for third parties to act as intermediaries between ecommerce stores and banks, which poses yet another opportunity for interception through the likes of phishing scams and data collecting malware.
Over and above the theft of money, is the theft of identities. With so much personal information being required by online retailers and banks, people are quick to trust that their information is going into the right hands that few run the necessary checks to ensure that the data portal is secure, or that their information is reaching the intended destination. This further compounds the risk for both banks and retailers as the likes of the Protection of Personal Information (PoPI) Act come into play.
The impact on banks
Banks carry a lot of risk when it comes to cybercrime. Not only are they susceptible to the financial impact of unsecured transactions, phishing sites, re-imbursement, transaction reversal fees and so much more, but they also need to consider the impact of investigating the cause of a breach and re-addressing their cyber security every time a breach occurs. Beyond the possible risk of an “inside job”, they need to pinpoint their weak spots and address them with urgency – something that can be a cost intensive exercise. There is also the concern of damage to the confidentiality of their customers, which can irreparably ruin their reputation and credibility as a financial institution.
Loss of reputation directly translates to a loss of customer trust in the bank’s ability to safeguard and manage their wealth and assets. A bank that cannot effectively “bank” is no bank at all, in the eyes of the discerning customer. In an age where the customer is the key driver of business, loss of credibility can be detrimental to the success of the business and can lead to total failure.
It is absolutely imperative that, more than simply protecting against theft and financial breach, banks focus on protecting their customer’s personal information and other sensitive data. Not only to appease regulatory bodies – in play or yet to come – but also to retain their good standing with their customers.
Prevention is better than cure
As more and more parties get involved with transacting and as more players become involved in the banking space, often from other industries such as ICT, so do more compliance and security requirements emerge. Traditional security measures simply aren’t going to cut it any longer, and banks need to be always looking to future technologies in order to stay a step ahead of cybercriminals.
Confidentiality is key in today’s age of big data and omni-channel banking. Ensuring data and transactions are protected from all angles will be a challenge – one that banks and third parties will have to collaborate on to ensure their customers are wholly protected, and their data and privacy is completely secure.
Cyber security teams need to be looking at all potential entry points, from online banking to application access to the type of encryption employed by third party enablers. Every engagement platform needs to be addressed. They need to ensure that access is controlled, leveraging measures such as authentication, voice recognition and other biometric solutions, passwords and encryption. As new technologies are introduced and new security risks are identified, approaches such as new forms of multiple authentication will become a new trend.
Banks need to ensure they maintain a 360-degree view of their security, keeping a finger on every pulse of the industry, even extending beyond their own domain to businesses that touch on, or overlap with, theirs. Their measures need to be drawn from beyond existing customers, encompassing past customers as well. Network security, identity protection, governance, mobile and application security, channel security, protection of data in motion and data at rest, data masking, encryption, and myriad other security tools need to be reviewed and updated on a constant and regular basis.
Banks can start by assessing and securing their architecture, ensuring their network and servers are trustworthy, and that access to these are controlled and entrusted to select individuals. They should also be addressing their governance structures and standards, ensuring these are compliant not only with local governing bodies, but also with those countries with whom they do business. Having the right people in the right place, and with the proper identity verifications and biometrics in place can also go a long way to managing risk.
There are a vast number of tools and security measures available on the market today, however banks don’t necessarily need all of them – just the right tools in the right places, with the right access to them, or a service provider who understand the nature of banking from a strategic point of view, who can ensure that the bank has the necessary tools in place for a solution that is integrated and effective and yet won’t break the bank.
By Sanjay Vaid, Director of Cyber Security and Risk at Wipro Limited