Banks need to carry out phishing exercise regularly to evaluate and correct the glitches&
New Delhi: Cybersecurity in the banking sector has become a major concern in recent times. In fact, Reserve Bank Governor Shaktikanta Das recently said that issues concerning cybersecurity and data protection must be addressed to gain the confidence of the excluded section in use of technology, which is necessary for promoting financial inclusion,
"Technology, though being a great enabler, can also lead to exclusion of certain segments of society," Das said in his keynote address at a webinar on 'Investing in Investor Education in India: Priorities for Action', organised by the NCAER.
A recent Deloitte India report on "Digitizing the post COVID world: The '3I' approach" stated that the banking industry needs to upgrade its IT infrastructure and appoint experienced chief risk officers to effectively deal with incidence of cybercrimes. Observing that banks are the most targeted sector, the report mentioned that nearly 22% of cybersecurity attacks which took place in India in 2018-19 were on the banking industry.
"...these (cyber) attacks are becoming complex day by day. To address these challenges, banks need to appoint experienced Chief Risk Officers who can take the responsibility of skilling the employees and lead investment in military-grade cybersecurity solutions to detect the most advanced attacks," the report added. ET Now got in touch with some experts to understand Cybersecurity challenges for the banking industry:
Q: The banking sector has been under attack for hundreds of years. First, it was the physical theft of monies. Then it was computer fraud. Today, it’s not only cyber fraud but hacks into servers. Are Indian banks ready to tackle cyberattacks?
S Ravi, Former Chairman of the Bombay Stock Exchange (BSE) said the Indian banking system is bracing up to tackle computer and cybercrime. The unexpected situation of Covid pandemic has resulted in more digital transactions which the banking system was not prepared for. However, if you see the statistics, banks have been able to mitigate the risk to a large extent. The banking system is investing in IT infrastructure so as to equip themselves with the increased digital transactions.
Munjal Kamdar, Partner, Deloitte India said, "The year 2020 has been quite challenging for Indian banks when it comes to cybersecurity. After the onset of the COVID-19 crisis, banking operations disrupted severely as banks struggled to provide uninterrupted services to their clients during various stages of lockdowns. In the following months, they accelerated their digital transition efforts (such as digital banking and remote access to employees) to ensure contactless business operations. With a surge in digitisation, banks also witnessed a spike in cyberattacks as cybercriminals found new opportunities and vulnerabilities."
"What makes the challenge acute is that different banks are currently at varying stages of digital transformation and cybersecurity maturity levels determined by their past investments, budget allocation, and size in terms of customer outreach and service offerings. To cope with challenges associated with COVID-19, bank executives will have to embrace new digitisation and cybersecurity norms to meet business requirements, irrespective of the cybersecurity maturity levels of their banks," Kamdar added.
Q: With online banking becoming increasingly popular, what are the risks presently associated with banking on the web?
Kamdar stated that there are a wide variety of attacks depending on the circumstances. For instance, an unmonitored and insecure home Wi-Fi network may be subject to a “man-in-the-middle attack”, i.e. when someone intercepts a communication by either eavesdropping or impersonation. Compromised personal routers may be accessed to conduct a Distributed Denial of Service (DDoS) attack, financial fraud, or as a hop point to conceal the original attack location. Collaboration platforms and communications tools may be targeted with a disruption of services and there may be an abuse of cloud accounts with login attempts from anomalous locations using stolen credentials.
He further mentioned that remote working, which has become an overnight default mode of operation, may be vulnerable to phishing, vishing, and social engineering attacks. These can range from APT groups using COVID-19 themed attacks (to steal user information and financial fraud, to deliver commodity malware) to bogus websites or fake online platforms, spam or phishing emails, text messages, social media posts to lure potential victims, all the way to the possibility of nation-state backed campaigns for espionage and disinformation.
Other areas of concern include cloning of digital identities (involves manipulating existing audio, photos, and videos that look real and can cause ethical and legal concerns), malware contagion, and even advanced persistent threats where an infiltrator or unauthorised user enters a bank’s systems or network undetected and remains there for an extended time period with the intention to steal financial and personal data, cyber money laundering, ATM, and credit card frauds.
To protect the compromising of banking applications, the steps that can be taken include prioritising cybersecurity assessment, securing remote access control, tightening access to third-party services, contracting or outsourcing cybersecurity capabilities as required, adopting advanced technology solutions and tools, adopting defence options for threat intelligence and response capabilities (such as zero-trust architecture, advanced endpoint security systems, augmenting cybersecurity with AI, and DevSecOps), raising awareness through training, and bolstering security through threat identification and response competencies.
S Ravi said, "Online banking is getting Popular and digital banking has increased by 60% Over their previous years. Cybercrimes will increase which is visible across countries but Indian banks will have to mitigate these risks by taking many measures. Banks will have to strengthen cybersecurity through strong internal processes.
The banks will have to propagate financial literacy to their customers through very frequent communication. Common issues like sharing of OTP, credit card and debit card, sharing of personal details, etc are some reasons for cyber fraud. Banks will also have to internally improve the data management system and classify the data and protect it from fraudsters. Cyber frauds can also happen by employee negligence thus orientation to all bankers is a must.
Q: Cybercriminals also attempt to target bank’s third-party vendors (software vendors, banking equipment vendors, customer service vendors), how to tackle this?
S Ravi mentioned, that third-party vendors are an integral part of the IT infrastructure. It is important that system audit of Vendors is carried out periodically which RBI has also mandated. Vendors have to be evaluated and monitoring them is a must. He highlighted that the recent outages in some banks where operations were suspended temporarily certainly is a point of concern. "Banks need to carry out phishing exercise regularly to evaluate and correct the glitches if any."
Kamdar emphasized that robust cybersecurity measures can help make it more proactive instead of reactive, thus keeping cybercriminals at bay. "Let’s start with applying greater focus to developing controls around data security. Also, investing much more effort and time in vendor due diligence - onboarding of vendors needs to begin with cyber assessment of the vendor and vendor site. Further, inventorising and profiling the risk of all vendors is critical to understand their risk implications for the bank."
Planning and implementation of governance models should not be rushed at the contract negotiation stage; unfortunately, not enough thought is given to these critical mechanisms for directing, measuring, communicating and managing performance. Additionally, cybersecurity expectations should be set and managed upfront at the RFP stage itself.
Another area of improvement is “right to audit” provisions, which are inflexible and are not exercised with regularity, thereby missing an opportunity to reveal problems and avoid future conflicts. Lastly, monitoring and tracking cyber risks should be done by conducting regular assessments of vendors and third parties and leveraging technology tools such as risk sensing, AI, and ML. External threats should be monitored on a continuous basis.
"correct" - Google News
December 20, 2020 at 11:20AM
https://ift.tt/3p7eGNN
Banks need to carry out phishing exercise regularly to evaluate and correct the glitches - Times Now
"correct" - Google News
https://ift.tt/3d10rUK
https://ift.tt/35qAk7d
Bagikan Berita Ini
0 Response to "Banks need to carry out phishing exercise regularly to evaluate and correct the glitches - Times Now"
Post a Comment