Anything ‘digital’ today would arguably be connected. Without a doubt, digital banking requires consumers and businesses to be connected. And with that come cyber risks.
Consumers are becoming more tech-savvy and readily engage a multitude of digital services today. This has led to the emergence of ‘digital-first’ enterprises to meet of the needs of today’s connected customers.
The banking industry, too, is undergoing massive digitalization, from user-facing tools like mobile banking apps to backend infrastructure – and essentially everything in between. These developments are the key drivers behind the convenience and productivity that we all enjoy today.
But inherent to any technological revolution is its own form of risk. The more ‘digital’ banks become, the more channels for potential points of attacks from cybercriminals, who are constantly evolving to exploit new loopholes.
CybersecAsia speaks to Pavel Melnichenko, CTO, Airome Technologies, for insights and solutions.
How unique are the needs for cybersecurity in digital banking?
Melnichenko: The nature of banks’ activity and money management make them a natural target for cyber-attacks. With soaring incident rates, the importance of cybersecurity in digital banking is critical. While all banks want to maximize customer acquisition, they deal with people who have varying degrees of knowledge and expectations when it comes to security. Some know nothing about “digital”, “security” and “threats”, some are well-versed and want maximum security while others just have no time to think about “how it works”.
Obviously, banks want to manage money for all of these different types of personas and need to do this securely. At the same time, banks cannot apply strict rules to its customer behavior, because such restrictions are usually not user-friendly which leads to clients looking for alternate options with more flexible “digital banking” experience.
That is why banks have very strong requirements for solution developers: digital banking has to be convenient and comfortable for end-users and at the same time be secure.
But, as we know, convenience and security don’t make great friends. That is why we see many specialized security solutions for the financial services sector and is the primary reason why these solutions are “unique” in some way.
What role can consumers play in the balance between convenience and security? How should financial institutions help cultivate the right awareness, knowhow and habits?
Melnichenko: The customer’s role is key. If a customer thinks that a bank is not convenient enough for him, he will find another one. If a bank loses a customer’s money — regardless of the reason — the customer will find an alternative bank.
As for awareness and habits, I think it is good if a bank educates customers to observe digital hygiene. In the modern world, it is already a fundamental rule that “red light” means “stop”. The same time, attempts to dictate severe restrictions like “to access to our remote banking you must provide a series of documents like…” are unacceptable.
If a bank doesn’t want to care enough about its clients, then why should the user frequent such a bank and continue to do business with them? There a lot of good solutions and techniques to make digital banking safe. Bank should use them and implement, and user should be just “digitally clean” (remember hygiene?)
Organizations are putting customer trust at the center of their businesses. But data breaches continue to be more common and more severe. What do they need to do differently?
Melnichenko: Data breach is a very complicated topic. If you look at past incidents, most of the significant breaches were possible because of internal fraud. For example, data being stolen from inside the organization. It can be done because of a displeased employee, or just because of the absence of “digital hygiene” among a section of the employees — for example, someone used an infected flash drive or opened a phishing hyperlink.
So, how can one help mitigate this situation? There needs to be a strong focus on access rights restrictions and streamlined business processes. It is critical that all the data does not reside within person. There is also the need to educate employees and implement regular security instruments such as anti-virus, email scanning, DLP and so on.
It is not a simple task to build internal security efficiencies properly, especially in big organizations such as banks; malefactors will continue to work on finding loopholes in the system.
How could banks and enterprises work together more effectively in cyber-defense?
Melnichenko: If saying “enterprises” you mean solutions vendors, I think that banks should “vote” with their money. They should not buy anything just because of security vendor says “this will make your system secured, your customer will bear this”.
Banks should listen to their clients, understand end-user requirements, analyze them, invest, and implement solutions to build a robust cybersecurity framework, provide a secure and user-friendly experience for both themselves and their customers. If they do so, it will enable vendors to build a more secure and convenient solution.