The high degree of banking on technology has come in handy for the financial sector during this pandemic. It enabled banks to continue offering uninterrupted services and reach out to customers. In fact, the financial sector has leveraged IT and data well. This pandemic is a huge crisis but it’s also an opportunity for the sector to up its game on security, which has been its Achilles’ heel many a time.
Today, banks and financial institutions use cyber for almost all types of interactions — both financial and non-financial. While the cyber has facilitated a lot in enabling a new way of delivering services, improving productivity and reducing transaction cost, it has also resulted in various threats and challenges to ensure safety for wired as well as wireless transactions.
It is quite challenging to understand and tackle the unknown and unseen adversaries in the cyberworld as it is boundary-less. The challenge of protecting open and faster delivery channels riding on blockchain coupled with 5G gets immense when “walls and roof” of banks are vanishing. In the Indian context, when 3-4 vendors have rolled out banking solutions for the entire banking industry, if a security lapse is exploited by one rogue, then almost all banks using that solution become potentially vulnerable.
Bad actors have been trying to take advantage of unsophisticated netizens or unprotected organisations since the dawn of internet, but today’s bad actors are in a class by themselves. Nation-state actors, often operating through a vast network of well-funded proxies, strive to exert influence, threaten stability and sow discord in the cyberspace. Hacktivist organisations seek to undermine, damage or discredit organisations, whose agendas and politics they oppose.
After major security incidents around the world, many countries such as Britain, Germany, Estonia, Australia, Canada and Singapore have developed and issued laws on cybersecurity. Generally, these are focused on industries identified as critical infrastructure or critical information infrastructure like national security, financial, telecommunication, public transportation, logistics, healthcare and energy sectors. These sectors are always the first primary target of cyberattacks and cause the biggest business disruption or impact nationwide.
To combat these attacks, financial institutions are implementing very sophisticated and costly information security tools. These tools generate a huge number of audit records and alerts, which are humanly impossible to monitor. Studies reveal that only 50% of such audit logs are scrutinised. What does this mean? The tools might provide alerts about incidents but nobody may notice them and therefore, no action is taken!
Another challenge pertains to the high frequency, high volume audit data (Big Data) analysis using proper IT solutions. It is like searching for a needle in a haystack. Financial organisations need to build capability in this domain and ensure that audit logs are scrutinised regularly, as timely automated detection may save the loss of information, prevent malicious attacks and minimise the cost of attacks, if any.
Ensuring a cybersafe financial sector cannot be an effort from an individual or a single organisation. Government policies, laws, institutional framework are of paramount importance. Where do we stand in this regard?
The enactment of The IT Act, 2000, together with the Indian Penal Code, has put in place adequate provisions to deal with cybercrimes. It provides for imprisonment ranging from two years to life and fine/penalty depending on the cybercrime. Other steps include setting up of CERT-IN, National Critical Information Infrastructure Protection Centre, National Cyber Coordination Centre, cyber forensic training and investigation labs in most States.
These are significant steps but the administration of justice takes its own time. Perhaps, with the zeal with which the government has moved towards less-cash society, it should also enable infrastructure for fraud detection, arrest of criminals and quick punishment.
The Reserve Bank of India (RBI) has issued a comprehensive circular on Cybersecurity Framework in Banks covering best practices. It has also mandated requirements for CISOs of banks and Board Directors, CXOs and senior management to undergo certification programmes. The RBI monitors quarterly the status of each bank with respect to this framework, which directs the banks to put in place a board-approved cybersecurity policy and effective surveillance covering network and database security, protection of customer information and crisis management strategy.
Hackers are Innovating
The Hackers’ community is more united than others. Attacks are no longer isolated, but are more synchronised and use collective innovation of technology for targeted attacks. One of the incidents which was detected after a lot of efforts is the File Less Attack. This type of attack was detected after considerable efforts by analysing memory dumps where some irregularity was found in addition to the computer system behaving erratically. This is just one example of how the hackers community is continuously upgrading and building weapons posing challenges.
Countering these threats call for dedicated research to monitor evolving threats and counter measures. The financial sector should come together to fund such research regularly. This would enable banks to be proactive rather than reactive in dealing with cyberattacks. The security ecosystem for banks comprises government, regulators, banks, solution providers, fintechs, incubators and academic institutions. Ideally, the solutions emerge from academia, which are delivered to banks through fintechs and IT companies. Institutions like Hyderabad-based IDRBT, working at the intersection of industry and academia, play a crucial role.
Making it Tight
Even with the latest sophisticated technologies in enhancing cybersecurity, viz, Artificial Intelligence, Machine Learning, Blockchain and even Quantum Computing (these are also a threat to cybersecurity), it is certain that no amount of sophistication would be effective unless the basics are strictly adhered to. What are they?
Detect and Respond
A recent study states that the average time the adversary stays and explores in the victim’s network before actually attacking is about 220 days. This has to come down. There are tools available and automation of incident response is recommended.
Stick to Basics
Not sticking to basics of security is a major threat in itself. This includes insecure configuration of systems and not applying security patches on time. For instance, a recent incident in an Indian cooperative bank could have been prevented had the security patches been installed on time, which was released a few weeks before the breach.
In this context, the user responsibility — be it customer, bank personnel or outsourced professionals — too is important. Hand devices, which have significant usage in banking transactions, are increasingly becoming vulnerable to malware. We read that the vulnerabilities in the systems, be it iOS or Android, are being constantly updated. Are these updates done in user devices? If not, are these not injecting vulnerabilities into the banking network?
It is also becoming difficult for customers to differentiate the original from fraud channels. The duplicate mimic the original so well. Important downloads like the app should be downloaded only from the bank’s website, and not from a public portal. Banks must have a 24X7 surveillance mechanism to weed out apps that are masquerading in their name in public portals.
Segmentation of networks, either physically wherever possible or virtually in all other cases, will greatly limit the attacking capability of hackers even after a breach has occurred.
Regular Data Backup
When a system is attacked by ransomware, we are left with only two options — to pay the ransom and get the system released from attack, which many times would not happen even after paying the ransom or to format the system and re-install everything afresh. The operating system and even the application are re-installable but the data is unique. Taking regular data backup is the best defence against ransomware attacks.
Control over Third Parties
There is a significant cybersecurity risk since a lot of data is going back and forth and is held by third parties. Strong SLAs, regular audits, role-based access controls, multi-layer protection techniques and database access monitoring tools reduce risk.
Implementing this wherever possible will address brute forcing and even many types of phishing attacks. Automation of on-boarding and security of IoT devices too is critical.
AI and Machine Learning
While solutions that utilise AI and machine learning can greatly reduce the amount of time needed for threat detection and incident response, these can also be used by cybercriminals to increase efficiency, scalability and success rate of attacks. Hence, the use of AI for security has to be ramped up considerably to meet the negative fallout of use of AI by the cybercriminals.
Finetune SOC Alerts
Big Data-based Next Generation Security Operations Centres (SOCs) are needed. Configuring the SOC to reduce false positive alerts (noise) will help. Otherwise, the SOC’s effectiveness will be compromised out of fatigue, no matter howsoever sophisticated the SOC is.
Bots can be used in both offence and defence of cybersecurity. Bad Bots such as Bot Virus, Bot DDOS, Bot Phisher and Bot Spyware, have been unleashed to attack the cyberworld with nefarious intentions. The financial sector is one of the biggest victims. The Mirai botnet launched a devastating attack on large portions of the internet. Mind you, this was launched by college grads. Just as how the bad Bots are used, the defence must also emanate from a wide range of Bots. Defence Bots can become proactive defenders, capable of adapting to changing variety of attacks.
India probably has gone the distance in data localisation that no country has so far. Will this impact the cost of security since we need to clone data centres in each country? Will it enhance challenges for network security? In the scenario, do we redefine big data and advantages of centralisation? These are emerging issues that we have to grapple with.
After taking all mitigating measures, to address the residual risk, we should always go for adequate cyber insurance.
Cyber security preparedness can often make or break an institution. Given the inter-connected world and multiple players, this needs a perfect symphony among the government, regulators and other agencies. It is a big stage, like a huge opera, especially since the financial sector has undergone a complete makeover. Banks, financial institutions, payment system providers, NBFCs, primary dealers, stock exchanges and bourses, mutual funds, insurance institutions, are all now part of the financial sector. An attack in any part of the sector can have a domino effect.
(The author is Non-Executive Chairman, Bank of India)
Now you can get handpicked stories from Telangana Today on Telegram everyday. Click the link to subscribe.