Insider Threats Constantly Keeping Banks On Their Toes

From Insiders Threat to Social engineering and Phishing attacks, the banking sector today has to be prepared to deal with security woes on multiple fronts. Hitesh Mulani, CISO, Yes Bank, in a discussion with Biztech2.com apprises on the evolving threat landscape in the banking sector and the factors determining the same.

What is the biggest new-age security threat faced by the banking industry today?

Insider threats have been and continue to be the single largest threat that all banks are faced with. While there are multiple tools to avert threats like network and data security to a reasonable extent, insider frauds continue to evolve with the various technology platforms and keep the Information Security functions at banks on their toes at all times.

Broadly speaking, what are the major factors influencing governance strategies in the banking industry today?

The major factor that influences governance strategies is the constantly evolving threat landscape, which now includes a range of threat vulnerabilities on different platforms. The strategy needs to provision for this. The governance strategies are also required to incorporate steps that ensure regulatory and compliance requirements are met. We realise that there is a constant need for direct access to top management and so independent reporting structures have to be built. And, since the risk appetite of organisations is limited, especially in the banking industry, Information Security must be ingrained into every process/function of the banking business.

Online and mobile banking have become indispensable to banking today. What security threats do you see with the proliferation of these channels?

Security threats posed by online and mobile banking include lack of fool-proof mechanisms for non-repudiation of end users and customers; exposure of the service to one and all – including those who do not need it, but can still ‘knock at the doors’ and try to penetrate. Finally, there is the perpetual threat from the flow of data through multiple third party service providers and from virus/Trojans/spyware.

What strategy should be put in place for secure mobile financial services considering they can be accessed from various devices and points?

Mobile application security testing forms an integral part of the strategy to secure mobile financial services. Apart from this, the application architecture and network architecture form an important portion of a secure set-up of mobile financial services.

How important is identity and access and management? Should it be the key priority on a bank’s agenda?

It has to be a key factor on every bank’s agenda given the insider threat is always looming around. Provisioning and de-provisioning, and most importantly, frequently changing profiles are a constant bone of contention that leave a few gaping loopholes in the security fabric from time-to-time.

Do you see social engineering as a major threat to the banking sector? What should be done to curb security threats arising from social engineering?

Social engineering is a major threat, and the only possible way to curb it seems to be via robust security awareness programs at all levels, both inside and outside the bank– for internal users, vendors and partners as well as the customers. Besides, there are very few means of curbing the menace of new-age social engineering techniques like phishing through real-time monitoring. Hence, better end-user vigilance via greater security awareness is the most effective mechanism.

What makes risk management critical for the banking sector?

With the proliferation of multiple channels and continued focus to further reach out to customers via new and innovative channels, and the increasingly competitive products being offered in the banking space, risk management has become indispensable to the banking function. It needs to be rigorously practiced in true spirit in all functions of the bank.