How Banks Can Collectively Combat Security Threats

rahul

The banking industry is coming to terms with the fact that it continues to top the list of 26 industries that cyber criminals prefer to target. According to a Deloitte report, financial services’ customers are seven times more likely to be victims of a spoofing attack. Nevertheless, as both retail and corporate customers opt for digital transactions, banks in India have proactively adopted newer technologies and digital channels, and invested heavily in security systems and processes. However, the security measures have done little to mitigate attacks. The rise of cyber security incidents requires a dynamic and robust approach to security. It is in this context that Reserve Bank of India (RBI) published guidelines on Cyber Security Framework (in 2016) to enable banks to adopt a resilient security policy and crisis management plan.

COMBATING NEW-AGE THREATS

Traditional information security focuses on attacks such as hacking, phishing, spoofing etc. However, newer threats have emerged, forcing organizations to constantly address new vulnerabilities. RBI’s Cyber Security Framework specifies the steps to take for combating new age threats that seek to exploit weaknesses in traditional systems. One of the most important aspects of this set of guidelines relates to the setting up of a cyber security operations center that focuses on securing the ecosystem and ensuring information sharing on a proactive basis. In many ways, this is an opportunity for banks to take a step forward and assess themselves with a view to improving their cyber security posture. It is important that banks do not treat the guidelines as a compliance requirement.

Some of the key takeaways from the guidelines include:

·         Establishment of a cyber-security board to approve the security policy and to measure and monitor outcomes of cyber initiatives  

·         Setting up of a security operations centre (SOC) with strong controls to protect customer data—whether at rest or in motion—within the bank or vendor’s environment

·         Proactive reporting and collaboration mechanisms to help banks make use of historical incidents and threat intelligence to respond better

·         Continuous surveillance with dynamic and adaptive security systems that make use of intelligence based on behaviour analysis and detection capabilities

·         Building cyber resilience by establishing a cyber crisis management plan (CCMP) to address issues relating to threats and attacks

·         Strong governance over the entire gamut of vendor relationship, including the right to audit and review actions

IMPACT ON BANKS

Banks need to have an IT sub-committee or a board to actively assess their security preparedness and report to the RBI the following: 

·         Identified gaps in the cyber security framework 

·         Proposed security measures and controls, including their expected effectiveness

·         Timelines for implementing the security plan

·         Measurement criteria for assessing the effectiveness, risks and threats

CHALLENGES FOR THE INDUSTRY

Upgrading cyber security in banks is fraught with several challenges that have to be addressed. These cyber security measures come at a time when banks are already grappling with several cost reduction strategies and shrinking margins. Although several aspects needed more consideration, it is important that banks adopt a risk-based approach while building advanced capabilities. RBI’s measures have given the industry the required push to move forward and strengthen cyber defenses at both the organizational and industry levels. In fact, some banks have already instituted measures to address many of the issues highlighted by the RBI. However, many still must strengthen their processes on many fronts; for instance, banks will have to implement advanced systems to sensitize operations; merely analyzing security logs for routine patterns does not help any longer. In other words, banks would need to move from implementing basic security operations towards settings up advanced security operations centres.

According to a Radware research report, most businesses rely on making frequent manual adjustments to security policies for mitigating threats. This in itself is a compliance risk. Traditional solutions (which involve vulnerability and application scanning) typically take hours or even an entire day to complete a scan. Code review tools are no better, because they take significantly longer time to complete tasks. Imagine deploying these tools in financial organizations! It is a recipe for disaster.

ENCRYPT FOR A SAFER WORLD!

Today, it is common to find data distributed across hybrid environments and stored on endpoints, data centers, and public clouds. Given this reality, there is a real threat to security in banks. For instance, attackers may compromise a cloud service to access data or an “insider” may steal a physical drive or server that contains customer data.

“While the cloud brings endless opportunities for faster convenient banking and payments, the challenge remains around security,” said Rob Westervelt, Analyst at IDC, speaking to GlobeNewswire.

“It’s especially important with the rise of mobile payments and cloud-enablement technology like host-card emulation (HCE) to implement a strong data security strategy with end-to-end encryption.” Moreover, the case for effective and efficient management of encryption keys cannot be underplayed in the current business clime.

Addressing a range of threats across the public cloud landscape is possible with volume and full-disk encryption for Cloud IaaS instances, Virtual Machines, and storage systems.

Having intelligent solutions increases visibility and strengthens data security within virtual environments. It is important that banks exercise control over the encryption key management system across a vast array of layers, including endpoints, file servers, virtual servers, enterprise file sync and share (EFSS) solutions and Internet of Things (IoT) instances.

To implement cost-effective smart security solutions with enhanced control and flexibility, banks must no longer undermine the role played by encryption for protecting data-at-rest across physical, virtual, and cloud environments.