By Edwin Bartlett, CEO at Hicomply The last twenty years have seen a major digital transformation in the banking industry. We’ve moved from solely in-person, high-street banking in the early 2000s to the adoption of almost exclusive digital and online banking. It could be argued that information security was invented by the banking industry: the […]
By Edwin Bartlett, CEO at Hicomply
The last twenty years have seen a major digital transformation in the banking industry. We’ve moved from solely in-person, high-street banking in the early 2000s to the adoption of almost exclusive digital and online banking. It could be argued that information security was invented by the banking industry: the concepts of bank accounts, unique codes and secure access, even if just through a signature verification, were all about controlling access to people’s information.
However, while the industry’s safeguards were initially ahead of the market, the forces trying to break those safeguards often seem to be ahead of the curve. Banks are having to move a lot faster than they used to – and they also must do strict reporting, in line with guidelines like the Prudential Regulation Authority’s ‘International banks active in the UK: 2022 priorities’ letter to CEOs [1], because of the threat of cyberattacks.
Increasing cyber threats and the evolving landscape
Security Magazine reported that 76% of customers will defect from using a business if their information is compromised [2]. It’s a startlingly high number, and it’s reflected in the way banks have evolved to think about information security as a way of preventing financial loss. The industry is starting to put risk management plans in place to prevent breaches, protect networks and protect customer data.
Decentralisation
Banking has become much more decentralised in recent years. It’s no longer a landscape solely made up of high street banks: the rise of fintech, challenger banks and other forms of payment are now available. While this offers a variety of options for the consumer, it also presents more of an opportunity for fraud and customer data leaks because there are so many more touchpoints.
Third parties
Additionally, information is increasingly being exposed by third party breaches e.g. social media accounts where customers use the same email address or password. This naturally exposes banks to an additional level of threat – and addition, many consumers are not proficient at managing security on mobile devices, leading to increased vulnerabilities.
Remote working
The remote element must also be considered: often, challenger banks have many staff working from home (and even four-day work weeks, which is transformative to the sector). We’re no longer talking about a network of branches. Instead, we’re talking about thousands of people working from home, so there are challenges to consider here, too.
Cryptocurrency
We’re also seeing the rise of different types of currency, such as cryptocurrency. Originally, information security was a concern regarding currency within a country, but it’s now key to consider multiple currencies across borders, increasing the opportunity for threat actors to steal currency in its many forms.
What can the banking sector do to better secure its data?
Traditionally, the physical risks would have been the most significant concern because of the number of branches and people involved. The flipside to this is that we’re seeing new and different types of risk – such as cyber threats – and organisations now need to focus their efforts on digital security.
There are many technology options to consider when it comes to securing data, but the key approach is an organisation’s security posture and organisational structure. An approach of prevention as well as preparation for any successful threats is key. The approach to security should start with the people in the business – and the first step is to educate and inform employees through policies and procedures, as well as training and engagement.
For example, ransomware is the biggest information security risk to most businesses today. Ransomware is typically activated when someone clicks a link in a phishing email or downloads an email attachment. Once activated, it can take over a computer or even an entire network. It can also be delivered through security holes and infect a system without any action on the part of a user. Older, unsupported versions of Microsoft Windows are particularly vulnerable to ransomware and malware attacks.
Organisations should train staff on how to identify a scam email and the signs to look out for, and how to verify the identity of an email sender against the email address used. It’s also important to train staff to consider – before clicking – whether a link or attachment looks legitimate, as attachments can be infected with malware.
The next step is to put in place continuous monitoring of systems and regular auditing. Organisations should undertake regular information security audits of their systems, rules, policies, and risk assessments annually. Frameworks such as ISO 27001 and SOC 2 (US focused) can be put in place to support this, as they require the organisation to build and consistently maintain an information security management system (ISMS).
Implementing information security management
An ISMS includes several core areas: an asset register, risk assessment and treatment, and policies, procedures and processes that the organisation needs to operate to. Businesses need to identify the assets that could be at risk, for example information assets, physical property, customer data and physical assets.
To manage this, it’s important to undertake consistent risk assessments. As part of that risk assessment, mitigating tasks and treatments can then be identified. As mentioned previously, working towards ISO 27001 helps here, as the ISO standard provides the framework to work to.
The steps toward building a functional ISMS in the scope of ISO 27001 look like the below:
ISMS scoping – Defining the scope of an ISMS ensures your ISMS suits the business. This will define information the organisation intends to protect, including personal information and data.
Asset register – Creating an asset register defines the physical and informational assets the ISMS will protect, such as information, hardware, software and physical assets.
Risk assessment and task management – this step enables an organisation to identify risks to its assets and identify treatments to mitigate these risks, including assigning relevant tasks to specific members of staff or the entire organisation.
Policy and procedure creation – to ensure the risks are mitigated and the assets are fully protected, the business should create the policies and procedures required for ISO 27001 certification.
Increasing cyber security in banking
New threats to cyber security continue to arise; organisational preparedness is a crucial factor in mitigating the threats and reducing the impact of those threats on a business. Staff training and awareness is hugely important, as so many breaches happen due to human error.
Equally, implementing an ISMS and working to achieve standards such as ISO 27001 and/or SOC 2, depending on business geography, can help businesses limit the impact of cyber threats and build consumer trust by showing they have achieved internationally recognised standards for information security..
[1] https://hicomply.com/how-iso-27001-can-help-banks-establish-operational-resilience/
