Infosys Security Breach - Key Lessons For Banks

by Sohini Bagchi    Jun 18, 2015


The recent incident of security breach that resulted in hacking of salary accounts of at least two dozen Infosys employees, is yet another example of corporate security breaches - a common phenomenon in today’s world. While, in the case with Infosys, ICICI, the official bank of the company had to refund the amounts, the incident highlights some of the broader security challenges facing banks today.

Experts believe that the banking sector is facing heightened challenge of increased phishing attacks, skimming of cards (as in the case with Infosys) APTs, security skills shortage and most importantly an inability to detect threats.

Banks should gear up

According to some, the online security measures that are currently in place in most public and private sector banks are not adequate to counter emerging threats – more so because most banks are still relying on redundant security measures.

For example in Infosys’ case alone, which the Bank blames as card skimming, security experts believe such frauds happen because banks continue to ask simplistic questions on customer’s date of birth, address, mother’s maiden name, name of spouse, and other general information that are publicly available on Facebook, LinkedIn and job search portals. Undoubtedly fraudsters have easy access to such information.

R. K. Chhattani, IT evangelist and DGM at UCO Bank states that the human risk is a big problem for Indian financial institutions. In an interview with CXOtoday he stated, banks need to start proactively educating their employees and customers to prevent cyber threats from persisting.

As in case of Infosys, an ICICI bank official reported that the impacted customers did not have enhanced security enabled EMV chip debit cards. Banks should work on improving awareness of the different threats that currently exist including e-mail fraud, phishing and malware and ensure that customer cards are updated.

Su Gim Goh, security advisor, F-Secure in a recent report also mentions the importance of special training sessions for employees and customers - on tackling security threats  to create awareness at every level.

Cultivating a risk culture

Traditionally, banks in emerging markets have paid little attention to cultivating a risk culture, where employees are motivated to speak on new risks. Sanjay Deshpande, CEO & Co-Founder, Uniken notes that limited understanding of the risks is proving to be harmful for the banks. As banks are required to manage massive data, CISOs and IT managers are compelled to develop a risk appetite.

He also states while majority of the banks are largely dependent on incidents being reported by their customers and employees, the need of the hour however is a real time incident management mechanism.

Banks should essentially align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information – and make risk management a key part of boardroom discussion.

CISOs role redefined

The current nature of threats also puts focus on the CISOs role in banking. The Reserve Bank of India (RBI) has already stated that every bank needs a mandatory CISO position to be accountable for the risks. 

The CISOs must learn lessons from the past to gear up for the future, says Sameer RatolikarCISO, Axis Bank. “CISOs also need to play a leadership role in building the skills necessary for leveraging new technologies and come up risk management strategy in order to address the complex scenario,” he says.

He believes CISOs also need to collaborate with peers and industry experts through networking and information sharing to learn the methods of thwarting the most sophisticated threats.