Banks lose out in cybersecurity

The rising sophistication of digital attacks means that banks must employ new measures.

As customer demand for “anytime anywhere” banking spurs online accessibility of financial products, some experts argue that this has also made systems increasingly vulnerable. The increased accessibility over the internet and innovations via Fintech and online banking products may not have been matched with commensurate security measures, especially for critical processes and data. According to Jeremy Pizzala, a partner at EY, banks are in the middle of a major transformation in the business model of banking.

“Leading banks are re-balancing the equation to make cyber risk controls an enabler of customer digital adoption via greater ease of use,” according to Pizzala, and that regulators have been increasing the pressure to implement new compliance and controls frameworks.

Regulators have a very good reason to be strict, given the increasing frequency of cyber-attacks and the failure to address even the simplest of these. “Banks are experiencing significant cyber-attacks weekly, if not daily. Common techniques such as tailored malware and spear phishing continue to be effective owing to the lack of appreciation of cyber risks,” says Thio Tse Gan from Deloitte.

Protection against attacks
Thio notes that the first step in protecting against these attacks is for banks to identify what are the “Crown Jewels” that need to be protected given that “the traditional approach of just protecting the bare essentials isn’t sufficient to mitigate the risk of a cyber-attack.”

He explains that information such as product blueprints, securities pricing data, asset portfolios, business strategy, customer profiles and legally protected information are among the non-customer data now being targeted. After identification of what needs increased protection, banks must ensure that appropriate risk-mitigation strategies are in place, focussing not just on the technology side but also assessing the processes they employ.

“It is also recommended to expand the types of data analysed with security analytics to include end-point devices (for data loss), user access and authorisation activities, user transactions and applications and databases to get a much better bank-wide protection coverage,” says Pizzala. The rising sophistication of digital attacks means that banks must employ new measures, given that traditional Security Incident, Event Monitoring and signature-based defences cannot effectively detect new forms of attacks.