Online And Mobile Banking Pose Biggest Security Threat talks to Atul Kumar - Assistant GM-IT, Syndicate Bank, who elaborates on trends and technologies for minimising risks and ensuring IT security in banks. He also shares how Syndicate Bank protects its 23 million customers from the challenges that arise from the proliferation of online banking, mobile banking and more with a unified threat management system and risk management practices.

According to you, what is the biggest new-age security threat faced by the banking industry today?

I feel that online and mobile banking transactions pose the biggest security threat today. Like most banks, we also follow two-factor authentication code and have firewalls and anti-virus in place, which takes care of most of the routine security threats. But I feel the real issue arises from the fact that a customer can access his or her online account from any place – it could be house or a remote computer café, and we have no control over the location from where a customer chooses to access his or her online account and makes online transactions. Hence, we don’t know what Trojan might enter our system.

However, we can’t deny an online transaction merely because we don’t know from where it is being accessed. We just have to fasten our belts and ensure a robust security system is in place.

How vital is it to put additional security layers around devices such as routers or firewalls?

We are very cautious about our security implementations. We not only have the regular firewalls and anti-virus in place, but also have implemented a unified threat management system.

To add on to it, we have also implemented an intrusion prevention system that is able to tackle most of the security threats to our systems. Furthermore, we have installed HIPS - a host-based prevention system that secures the server when any transaction is taking place.

How important is identity and access management? Should it be the key priority on a bank’s agenda?

We use a two-factor authentication system as per the RBI directions that place high emphasis on access and identity management. However, I feel that we should consider adopting single password system. Once we have identified who the customer is, what is the point of expecting the customer to recall so many passwords?

I am myself a user of online banking facilities, and moreover, many people have multiple bank accounts. So in totality, how many passwords can you expect an average customer to remember? I personally feel it could become harrowing at times. There should be a single password entry across all transactions for each customer. But obviously this is subject to approval from the RBI.

Can risk management help in transforming the banking experience? What has been your experience in this regard?

Risk management is very critical and it provides a lot of quality inputs on each customer. We can easily find out if somebody is a good customer or not. We can also assess the credit worthiness of a customer and the risk appetite each customer possess. Such things are helpful in giving many facilities and loans to a customer.

We undertake risk profiling quite regularly. On the basis of the risk profiling of a customer, we can also offer a lot of facilities to the customer, a common practice followed in western countries.

But it is quite a daunting task for us. We have about 23 million customers, and we have to complete risk profiling based on custom segregation. However, I’d also like to add that we have completed the risk profiling for 80 percent of our customers.

There is a belief that once a company has achieved its compliance targets, it has in a way secured itself from security threats. What is your take on this?

It is true that there are a set of RBI directives that we are must comply to. However, it is also true that banks need to constantly check if the security measures are efficient. For instance, Syndicate Bank often indulges in ethical hacking, which means that the systems are hacked into at a pre-specified time. These attacks are carried by different agencies, and are carried out just to ensure that all these security systems in place are actually able to prevent risks and attacks. We make sure that these attacks are carried out once in every six months as per RBI directive. This also tests our security systems.

How do you keep pace with the fast-changing security requirements and expectations? How do you plan for business continuity in the event of a security disaster?

I personally feel that security can never be 100 percent foolproof. At the same time, a proper business continuity plan needs to be devised. It needs to be tested routinely and the employees should be well equipped to work with it in crisis situation. But, I have often observed that many organisations prefer to retain much less people at its DR offices as compared to the number of regular employees in the main offices.

Now, in case of an emergency, how do you expect the DR site, which acts as a back-up to the main offices to take the full load, unless you keep testing the business continuity plan and make sure that the employees are trained properly? It is critical that people are thoroughly trained to handle any disaster situation and the systems are robust for the same.

Updated Date: Feb 02, 2017 23:17:05 IST