printer friendly version

People and processes for banking security

Richard Frost.

South Africa is the third most-targeted country worldwide when it comes to cybercrime and it is no different with the local banking sector, which needs to ensure its systems are compliant with regulation and equipped to deal with the growing number of attacks while also actively educating both staff and customers on security best practices.

While end-users have long been targeted through identity theft and a variety of other methods, cyber-attackers are increasingly targeting organisations as well, including those in the banking and financial services sector. Often, they don’t target the organisation directly, with the major source of recent incidents being third-party breaches.

These large organisations tend to work with multiple external suppliers – or even other subsidiaries within a group – with customer or even employee data being shared between these organisations, this can be a security risk if not managed properly. This includes improperly gaining access to information that enables them to carry out social engineering and phishing attacks that are highly convincing and especially financially harmful to organisations.

If you look at a typical system in banking, it will consist of web servers, application servers and database servers, all of which communicate between each other. As an example, when you apply for a home loan online, you first go to your bank’s online portal (the web server). When you go to the specific section and apply for a home loan, an application server will then pull up all the information the bank has about you from a database server (or servers) and may even request even more information about you from credit reporting companies.

All of these systems are interconnected and need to be equally protected. All it takes is for one of these to be compromised before a cybercriminal can get access to the rest of them and as such, banks need to have stringent SLAs and security policy requirements for all their third-party providers. It’s known that banks need to ensure Payment Card Industry Data Security Standard (PCI DSS) compliance.

However, it is important that all the third-party providers that work with the banks are also compliant with this standard. The onus is on the banks and they have to look at what data they collect, where and how they store it, where and how they use it, where and how they distribute it and when they should delete or destroy it.

Addressing the human element

Another challenge is that the security efforts focus on the user experience side, or the front end. But, what about the back end? If someone can bypass your organisation’s security systems and get access to your databases, they don’t even need to worry about trying to log in as a user. Ransomware and malware that has compromised the system of someone who is a legitimate user can then carry out privilege escalation until it reaches a point where it can take over your server.

Here, it is critical that banks adopt the principle of least privilege and make use of a robust access manager that more deeply interrogates who is accessing your systems, why they want a higher level of access, what changes they intend to make and more, which thwarts automated malware requests that lack the intelligence to complete the process.

As has been made apparent time and again, the security chain is only as strong as its weakest link and this weak link is still the human being. User awareness training is one thing that the industry needs to place greater emphasis on.

It is crucial that banks don’t just put the right policies – such as PCI DSS, your IT policies, fair use policies and others – in place, but also train users to make sure they understand these policies, how it applies to them and to make them aware that they could potentially be the source of a breach.

And in the age of privacy regulations such as the Protection of Personal Information Act (PoPIA) and GDPR, these breaches are not just a source of bad publicity, or loss of trust, but could end up seeing banks having to pay huge fines and even have business leaders facing jail time. It is said that ignorance is often bliss until it’s a cybersecurity breach and your organisation is held responsible.

Share this article:

Further reading: