Understanding the relevance of cyber security in the BFSI sector: Bharat Panchal, NPCI
Protecting sensitive data is important, industries across the globe agree on this fact. With surmounting pressure on CIOs and CISOs on putting higher investments for security infrastructure, the challenge of facing sudden attacks on protected data and customer information is getting bigger and more unpredictable
By Bharat Panchal
During the time companies and leaders were discussing the optimal budgets to spend on building a resilient, secure infrastructure, the perpetrators were not sitting idle. Newer technologies and enhanced software knowledge has today led to major data breaches across the world. India is also not different than the rest of the world in terms of cyber security breaches.
While secure data makes for the basis of a successful business in this connected world, building consumer confidence on your security architecture is only one angle to tackle. The bigger challenge lies in creating an ecosystem that not only promises to be safe and keep critical customer data safe, but also comes together in understanding the constant need for vigilance. With everything else, hacking has evolved too. It calls for an industry-wide stance where irrespective of the threat, organisations are safeguarding their data and building robust strategies to mitigate security risks and improve crises response time for difficult situations.
Protecting valuable data
Having discussed the need for information and data security structures in place, let us not forget that it is not only banks or financial institutions who are in need for mitigating data breach situations. Every company and organisation needs to protect its valuable data to maintain business continuity. However, the impact of a breach is often seen manifold for the BFSI sector because of the sensitive nature of customer’s financial data. Conventional data protection is just not enough for the current reality. Companies need to think deeper into the possible consequences of a data breach and strategise their security infrastructure accordingly.
Stringent security practices
Securing technology systems and protecting the data and assets of customers remains one of the highest priorities for any financial institution. Evolving security threats, both internal and external, require the use of new controls, latest methods and sophisticated advanced security tools to protect all transaction activities and data. Multifaceted and layered security tools and procedures strengthen any institution‘s efforts in combating against these threats by providing multiple automated barriers at different levels. Hence, it is important to ensure that security practices are stringent by utilising a strong, multi-layered security strategy, including the use of best of the security tools like firewalls, proxy servers, SIEM (Security Incident and Event Management), two- factor authentication with tokens, PIM (Privilege Identity Management), FIM (File Integrity Management), WAF (Web Application Filtering), APT (Advanced Persistent Threats).
In the banking and payment system, a strong security strategy requires that all high-risk transactions be reviewed and authorised by the customer, and that the payment system network uses industry-standard practices to validate the legitimacy of those transactions. A layered security policy should also take into consideration where sensitive data is stored, human resources, and the physical assets of the organization, including laptops, tablets, printers, scanners, mobile phones, Wi-Fi and access to all other facilities.
Types of challenges in cyber security:
- Mobile Banking
- Malware, botnets and DDoS
- Strong controls for mobile browsing and app
Indian banking industry has successfully enabled mobile banking for large customer bases. The process is long and enduring, as the traditional online banking security infrastructure and measures do not always apply to mobile banking as it is. As customers get the liberty for anywhere, anytime banking, it is imperative that strong controls are put in place for mobile browsing as well as the apps by the security managers and experts. Similarly, there are challenges from extensive malware attacks, phishing etc, which has extensive impact on the reputation of the bank/financial institution much more than the benefits it takes out of a successful perpetration.
Much has been spoken about the various kind of challenges in the sphere of data and cyber security. An organization‘s cyber vulnerabilities extend to locations where its data is stored, transmitted, and accessed, both by organisations and its service providers. Any weakness in the perimeter becomes the organization‘s vulnerability. This challenge will continue to increase as the organization’s cyber security perimeter continues to expand as customers increase their demands to allow access to their information irrespective where it is stored.
Best practices of cyber resilience standards
Any organization should implement adequate protective controls that are in line with best practices of cyber resilience standards to reduce the likelihood and impact of a successful cyber-attack on identified critical business functions, information assets and data. Protective controls should be proportionate to and consistent with the organization‘s risk tolerance and its threat landscape.
Integrated crisis response system
The need of the hour is an integrated crisis response system that evolves itself with newer challenges by creating a perfect amalgamation of people, processes and technology. It is crucial for businesses to maintain continuity even in case of an attack, and to get back on feet within a quick turnaround time.
In a dynamic industry such as banking and finance, where core banking systems and new technologies work hand in hand, the payments systems where technological innovation is paving the way for digitalizing whole economies across the world, advent of new and faster ways of banking on the go, security will always be of utmost importance. Prevention is hypothetical in today’s business environment since the hackers are finding new ways of turning what used to be a show of power, to a money making crime. The question is how organizations ensure getting back on feet once perturbed, to deliver the same confidence they have in their systems to the customer.
Strategic governance and strong deployment of tools
Adopting a preventive approach to tackling cybercrime related risks could help to enhanced security with improved value. However, it typically requires a paradigm shift that starts with high level governance strategy to incorporate cybercrime related risks into the enterprise risk strategy. That will help to start to identify gaps in the current cybercrime risk management strategy and encourage an organization-wide approach to countering cyber threats. Further, along with the strategic governance, a strong deployment of tools is very much necessary as a preventive approach towards cybercrime risk management.
(The author is Senior Vice President & Head, Risk Management, National Payments Corporation of India)