Using Sustainable Model For Banking Security


Today’s threat landscape demands an integrated approach to advanced persistent threats that can bridge the gap between prevention and incident containment and remediation. A mature and well thought out security model should be a mandate that both the Information and technology (IT) department and the C-Suite teams need to work together to implement in order to thwart new-age attacks. Today, big data has entered every industry and business function and has now become an important factor in production, alongside labor and capital. According to a report by McKinsey & Company, the use of big data is today transforming into a key basis of competition and growth. From the standpoint of competitiveness and the potential capture of value, all companies need to take big data far more seriously. Good security-technology real estate is essential. However, the presence of content filtering systems, big data monitoring and other technologies cannot be undermined.

According to a Vanson Bourne study conducted in 2014, globally and in India, it is an increasing understanding that technology is a key driver for business initiatives and results. New technology is now actively and aggressively encouraged in various organizations to drive business goals. Globally, 69% of the respondents and 79% of India respondents are in this forward-leaning stance. Today, India has a total of 120 million Internet users making it the third largest user base in the world, according to a McKinsey report. India is likely to have the second-largest user base in the world, and the largest in terms of incremental growth, with 330 million to 370 million Internet users in 2015.  Hence the overall consumption of smart mobile devices and cloud services by employees will increase manifold. As it does, there will be a strong increase in personalized attacks that include advanced persistent threats.  The latter trend strongly implies that security services for BYOD and big data analysis should be a top priority for companies.  Most importantly the overall security infrastructure should have a 360 degree approach to it.

There is need to adopt a lifecycle approach to implement a complete, multi-layered defense. The three core capabilities of the lifecycle defense include ongoing operations, incident containment and incident resolution. The process begins with detection and blocking of all known threats while unknown threats are moved to the incident containment stage. At this stage, each of the threats are carefully analyzed and mitigated via closed-loop feedback through which threat intelligence is automatically shared with other security systems to inoculate the organization from future attacks. In addition, threat information is shared in real-time among millions of users in thousands of organizations via a global intelligence network, so the defense system can learn, adapt, and evolve to stay a step ahead of advanced threats. Finally, at the incident resolution stage, breaches that do occur are investigated, analyzed, and quickly remediated, and the resulting intelligence is shared via the global intelligence network, which in turn helps convert unknown threats into known threats.

The focus on the Banking Financial Services and Insurance (BFSI) space has now moved to APTs that are threats that are unseen and unknown. Until a couple of years ago, CIOs were not focused on APTs, however today they are sitting up and taking notice of these threats. Organizations today are finding APTs very challenging. The reason is that APTs can be targeted to a specific entity or an organization. Ironically most APTs are using the simplest of technologies and codes.  Therefore, organizations must gear to block known threats and contain the unknown threats.

According to the latest data provided by the National Crime Records Bureau, the official chronicler of crime in the country, cybercrime registered under the Indian Penal Code (IPC) has shown a much higher growth rate of 122 per cent in 2013 over the registered cybercrimes registered in 2012. IPC cases went up to 1,316 in 2013 from 595 in the previous year with the state of Maharashtra topping the list, with the police booking 226 cases in this category.

A cyber infection can occur within seconds, if not minutes, however, the actual challenge is realizing that an infection has occurred. In such cases an ideal solution is to block the known, and contain the unknown. That being said, some of the newer threats known as Zero Day attacks cannot be thwarted or blocked out. It is a marketing misnomer that organizations can find something that is virtually impossible to detect and select the right solution to thwart it.  

In today’s environment, banks need to offer their customers comfort and peace of mind to transact online, while at the same time ensure applications and banking channels are threat-proof. Banks offering Internet Banking and applications to transact are finding it difficult to manage threats that their customers receive. Although there are solutions available, the bigger question is if banks are utilizing Apps more for their customer transactions and query interactions, then their respective CTO’s need to redefine how they will have the right security features build in to them.  That being said, there are several banks who have started offering secure tunnel mechanisms to their customer to engage with as they have realized that security is no longer just a CIO or CTO priority but one that entered into planning meetings in board rooms. However, there is still a long journey ahead to completely bridge chasm between operational and technological corporate requirements.

Another new challenge that most CIOs and board rooms are taking cognizance of is ShadowIT. Let’s say, that an employee has to transfer a 30 (Mega Byte) MB file. The corporate mail policy says that he or she cannot transmit beyond 10 MB. To get this task accomplished, they may go to a third party file sharing website and email a download link. The link shared may in fact have a second and hidden motive, which is to send an infectious threat to a particular computer or device without the user realizing it or be used to steal data in the background, while a file is being downloaded. Shadow IT is proving to be a big challenge, especially in India, where many departments have still not agreed or defined a synergetic approach with their IT custodians, towards implementing corporate policies on BYOD, third party websites permissible for employees to access etc.   

Moving forward, corporates and organizations will need to look at systematic annual planning between each level of their respective hierarchy in order to ensure that their policies allow users the level of freedom that they value, while appropriately balancing the risk to them. Organizations instead of looking at compliances should look at the maturity of technology models such as CMM maturity models for security. There are Indian organizations, in fact Indian (Multi-National Corporations) MNCs that adhere to international standards, while making sure they are compliant with Indian security systems and compliances. Hence, the art of striking the right balance between user experience and security is still evolving but one that BFSI firms here in the country should make a conscious effort to support and help mature into a sustainable model for all parties concerned.