Cyber Security Strategy – An Important Element of Banks’ Overall Digital Strategy
As this article gets written, news of the Russian hack attack on Google, Microsoft and Yahoo email accounts, whose information was sold for less than US$ 1 in total, is still in public memory. Somewhat less sensational was the report that personal data of several hundred thousand users was stolen from the IRCTC website in India, hastily denied by the firm.
Cyber insecurity is the flip side of the digital revolution. As the traditional universal banking model unbundles at the hands of technology players, it is creating many opportunities for banks to engage with their customers in new ways or cater to their needs with new, innovative solutions. But it is also opening up the industry’s flank to all kinds of online attack. A great example of this is the risk of banking accounts being compromised because the social media accounts they are linked to have been breached.
This is why, our viewpoint on how banks can turn truly digital (putting the customer at the focal point, putting the ecosystem before the bank, making automation ubiquitous and valuing insights above everything) ends with a recommendation to simultaneously reinforce the cyber security infrastructure at financial institutions. But just like selective digitization – or digitizing some parts of the bank – will not make a bank truly digital, taking an ad-hoc, tactical approach to security will not safeguard its enterprise against the digital perils of next-generation banking. No longer can security be relegated to the fringes, to be attended to by some operational team with a host of other responsibilities. Even as a bank comes up with a holistic and systematic strategy of digitization, it must also evolve a comprehensive strategy for digital security.
That strategy must consider four important aspects, namely, people, process & systems, technology and regulation.
People: In 2014, it was estimated that fraud by insiders would cost organizations around the world a total of about US$ 3.7 trillion. This means that banking enterprises must first and foremost plug all the security loopholes left open by people, be they customers or employees. For instance, they need to secure their authentication systems to ensure access to data is controlled based on role and need, but more importantly, they need to be vigilant and proactive. Equally important, banks must educate their customers on prudent banking regulations and practices.
Process and systems: Despite numerous attacks, banks have not really woken up to the reality of the threat facing them. Most focus on the “positive” consequences of their security initiatives, assuming everything will go according to plan. Very few think about a “negative” scenario, in which the attackers actually manage to penetrate their data, network or infrastructure, and therefore must be dealt with in an appropriate manner. It is not only necessary to envisage such scenarios but also decide whether that should lead to a suspension of services, or partial shutdown of operations, and so on. The challenge here is to find that fine balance between securing customer transactions while safeguarding the quality of customer experience.
Technology: Digital technology is the prime actor in the digitization of banking. It is also the source of online fraud. But it is also the antidote to it. For instance, new technologies, such as Blockchain, are introducing a new dimension to security, not by providing an additional authentication mechanism but by eliminating the possibility of fraud itself. This is possible because Blockchain by definition creates an environment where a transaction can go through only when a minimum number of banks in the “community” permit and approve it. Once approved, the transaction is non-repudiatable, and reflects in every copy of the distributed ledger in which it is stored. A fraudster attempting to introduce a fraudulent transaction through one ledger will never get past first base, because there will be no approvers for it.
Regulation: The final strategic security element is regulation. Regulations governing cyber security are becoming more pronounced with the introduction of standards, such as the FIPS 202 (Federal Information Processing Standard) in the United States. The holistic focus on security aspects, ranging from encryption to algorithms to management of fraudulent transactions, is raising the overall quality of cyber security. In addition, regulators are taking a deeper interest in emerging trends, even coming down in their favor if they appear to be beneficial to the industry. Take the Reserve Bank of India, for instance, which “banned” cryptocurrency dealings in 2013 but three years later, has expressed interest in using Blockchain to reduce cheque fraud.
For the truly digital bank, cybersecurity is therefore not about plugging one more solution or building one more firewall but about taking comprehensive strategy and action.
By Rajashekara V. Maiya, Associate Vice President & Head – Finacle Product Strategy, Infosys
