Through Edwin Bartlett, CEO at Comply
The past twenty years have seen a major digital transformation in banking. We moved from in-person banking only in the early 2000s to embracing almost exclusive online and digital banking. You could say that information security was invented by the banking industry: the concepts of bank accounts, unique codes and secure access, if only through signature verification, were all aimed to control access to personal information.
However, while industry backups were initially ahead of the market, the forces trying to break those backups often seem to be ahead of the curve. Banks need to act much faster than before – and they also need to do strict reporting, following guidelines such as the Prudential Regulation Authority’s letter to CEOs “International banks active in the UK: 2022 priorities”. due to the threat of cyberattacks.
Growing Cyber Threats and Changing Landscape
Security Magazine reported that 76% of customers quit using a company if their information is compromised . That’s a surprisingly high number, and it’s reflected in the way banks have evolved to view information security as a way to prevent financial loss. The industry is beginning to put risk management plans in place to prevent breaches, protect networks, and protect customer data.
Banking has become much more decentralized in recent years. It’s no longer a landscape of big banks only: the rise of fintech, challenger banks and other forms of payment are now available. While this provides a variety of options for the consumer, it also presents more opportunities for fraud and customer data leaks because there are so many more touch points.
Additionally, information is increasingly exposed through third-party breaches, for example social media accounts where customers use the same email address or password. This naturally exposes banks to an additional level of threat – plus many consumers are unfamiliar with security management on mobile devices, leading to increased vulnerabilities.
The remote element must also be taken into account: often challenger banks have many employees working from home (and even four-day working weeks, which is transforming the sector). We are no longer talking about a network of branches. Instead, we’re talking about thousands of people working from home, so there are challenges to consider here as well.
We are also seeing the rise of different types of currencies, such as cryptocurrency. Originally, information security was a concern over currency within a country, but now it is essential to consider multiple currencies across borders, increasing the possibility for threat actors to steal currency in its many forms.
What can the banking sector do to better secure its data?
Traditionally, physical risks would have been the biggest concern due to the number of branches and people involved. The flip side is that we are seeing new and different types of risks, such as cyber threats, and organizations now need to focus their efforts on digital security.
There are many technology options to consider when it comes to securing data, but the key approach is an organization’s security posture and organizational structure. A prevention approach as well as preparation for any successful threat is essential. The approach to security must start with the people in the company – and the first step is to educate and inform employees through policies and procedures, as well as training and engagement.
For example, ransomware is the biggest information security risk for most organizations today. The ransomware is usually activated when someone clicks on a link in a phishing email or downloads an attachment to an email. Once activated, it can take control of a computer or even an entire network. It can also be delivered through security holes and infect a system without any user action. Older unsupported versions of Microsoft Windows are particularly vulnerable to ransomware and malware attacks.
Organizations should train staff on how to identify fraudulent email and the signs to look out for, and how to verify the identity of an email sender against the email address used. It is also important to train staff to determine – before clicking – whether a link or attachment appears legitimate, as attachments can be infected with malware.
The next step is to implement continuous monitoring of systems and regular audits. Organizations should undertake regular information security audits of their systems, rules, policies and risk assessments annually. Frameworks such as ISO27001 and SOC 2 (US-focused) can be put in place to support this, as they require the organization to systematically create and maintain an Information Security Management System (ISMS).
Implementation of information security management
An ISMS includes several essential areas: a register of assets, the assessment and treatment of risks, and the policies, procedures and processes that the organization must adhere to. Businesses need to identify assets that could be at risk, such as information assets, physical assets, customer data, and physical assets.
To manage this, it is important to undertake consistent risk assessments. As part of this risk assessment, mitigating tasks and treatments can then be identified. As mentioned earlier, working towards ISO 27001 helps here, as the ISO standard provides the framework.
The steps towards building a functional ISMS within the framework of the ISO 27001 standard look like the following:
- ISMS framework – Defining the scope of an ISMS ensures that your ISMS is right for the business. This will define what information the organization intends to protect, including personal information and data.
- Asset register – The creation of an asset register defines the physical and informational assets that the ISMS will protect, such as information, hardware, software and physical assets.
- Risk assessment and task management – this step allows an organization to identify risks to its assets and identify treatments to mitigate those risks, including the assignment of relevant tasks to specific members of staff or to the organization as a whole.
- Creation of policies and procedures – to ensure that risks are mitigated and assets are fully protected, the business must create the policies and procedures required for ISO 27001 certification.
Increasing cybersecurity in the banking sector
New cybersecurity threats continue to emerge; organizational readiness is a crucial factor in mitigating threats and reducing the impact of those threats on a business. Staff training and awareness is extremely important, as many violations are due to human error.
Likewise, implementing an ISMS and achieving standards such as ISO 27001 and/or SOC 2, depending on business geography, can help companies limit the impact of cyber threats and build trust. consumers by showing that they have achieved internationally recognized standards for information security. .