One of the main pillars is digital payment systems that fuels economic development and ensures financial stability as well as supports financial inclusion
Modern banking ecosystems are collaborations built on partnerships and riding on technology to provide new products and services to clients. Going forward, we shall see only digital incarnations, which is in line with the ‘Ps’: product, price, promotion, place, people, processes, and physical evidence. All these are the precepts of Banking, which is deeply backed with Technology, which will have a huge impact in how businesses, compliances, audits are done. Although no single bank can meet all of its customers’ needs, a consortium of banks and digital/tech firms can.
One of the main pillars is digital payment systems that fuels economic development and ensures financial stability as well as supports financial inclusion. Ensuring safe, secure, reliable, accessible, affordable and efficient payment systems has been one of the important strategic objectives and goals of the Reserve Bank of India (RBI). The dynamic and accelerated development of the payments ecosystem in India, facilitated by increased adoption of technology and innovation, has established the country as a force to reckon with in the global payments space, in terms of not only growth in digital payments but also availability of a bouquet of safe, secure, innovative and efficient payment systems.
The Central bank’s vision is to take these achievements to the next level with the straightforward 4 Es – E-Payments for Everyone, Everywhere, Every time which will enable every user with Safe, Secure, Fast, Convenient, Accessible, and Affordable e-payment options (the attributes).
In order to achieve this seamlessly, the providers [banks and their ecosystem] and the consumers [retail as well as wholesale] need to follow the basic security principles that have been in place for quite some time now. With improvements in the speeds of analysis [both rule-based and ML models], it has now become quite easy to excavate from an entire data lake in near real-time to throw alerts, events, incidents for humans to verify the automated responses.
What we are paranoid about especially in the BFSI sector is that of cyber breaches. The top threats that are predicted to continue to cause grief for banks and financial institutions are:
Social engineering: Probably the biggest threats to banking and finance is social engineering. Humans are THE most vulnerable link in the entire security chain – they can be tricked into giving over sensitive details and credentials. This can affect anyone – a Bank’s employees or its customers.
Social engineering takes many forms, it might be through phishing or whaling attacks or it could be by sending bogus invoices that purport to be from a trusted source. It’s extremely important to raise awareness and to be alert. The regulator and all Banks are sending out flyers, SMSes, Ads to keep the consumers as well as employees informed about social engineering tactics and how these threats continue to evolve. With no strong enforcement mechanism in the Telecommunication domain, it is nearly free for all at the moment. Albeit DLT based SMS templates have been in vogue since 2020, it has not been able to deter the bourgeoning spurious call centers [aka Jamtara] and SMS senders. The government has not been very effective in taking appropriate measures to stop the menace of spam calls and text messages.
Increased cyberattacks on Public Cloud-based systems: With public “cloud” gaining maturity and prominence, businesses are understanding the benefits of public Cloud-based systems – pay per use, less manpower to maintain the uptimes, taking backups, DRaaS etc, more software systems and data are now being stored in the public cloud. Cybercriminals have seized upon this and as a result an increase in cloud-based attacks has been one of the most prevalent cyber threats to the banking industry. Public Cloud based systems are secure but that it all depends on the configuration. Banks need to ensure that the cloud infrastructure is configured securely to protect from harmful breaches. To be on the safe side, it would better not to store any SPI or PII data on public Cloud infra till the basic workforce is sensitised and mature enough to take it forward. The regulator has not come up with any specific guideline or master circular on this area for the time being. The standard common-sensical tenets for using the cloud is already there – unless something drastic happens, the regulator will probably wait and watch till then.
Ransomware – Ransomware has been a major headache for organizations around the world for quite some time now and this is not going to stop soon. This has now evolved as full time business – RaaS [Ransomware as a Service] during the COVID times. Thanks to vulnerable unpatched, not used systems, buggy operating systems requiring near daily patches viz. windows, APIs exposed to the external world cause this grief which is quite simple to avoid. Adding further to the woes is the fact that the backups of critical data are never tested after backing up! Paying ransoms to these criminals is also not guaranteed to result in your systems access being restored and that the data would not be leaked in the future e.g. The recent AIIMS attack.
Anywhere Work Feature – The pandemic forced the world to adopt this mode for a nearly all sectors. The reliance on remote work, hybrid workforces and cloud-based software systems has become almost ubiquitous. The direct implications for the financial institutions is the exponential increase in cybersecurity vulnerabilities seen like never before. The small team of defenders are put to enormous pressure to thwart the attacks as employees are randomly accessing data on systems and networks that are controlled by the organization.
Implementing cybersecurity mitigation strategies in the banking sector can be challenging. The critical areas are:
• Talent gap – the number of appropriately trained cybersecurity professionals is significantly less than the demand.
• Unaware employees who have either not been appropriately trained in cybersecurity awareness, or their training is outdated/not properly reinforced or just recalcitrant.
• Poor/Weak credentials being used by employees which is pretty simple to guess.
• Poorly designed apps, mobile devices and APIs used for banking are being targeted by those who wish to exploit them.
• Usually the board doesn’t have technically competent members who are aware of the grave implications of the cyberthreats and can provide relevant and appropriate directions.
• Organizations shirk on first deciding on the cyber strategy and then allotting sufficient budget to deal with cybersecurity threats.
Of course, there are still steps that banks and financial institutions can take to ensure that their systems are protected against common challenges for cybersecurity in financial services. This includes:
• Bridging the talent gap by partnering with security partners who offer managed services to help provide protection.
• Implementing continuous security awareness training programs or assessing current programs to ensure that they are relevant and up-to-date with the current threat landscape.
• Identification and deployment of appropriate detection and response tools in line with the Bank’s security posture.
• Persistently carrying out consumer awareness programs so that customers don’t fall in the trap of cybercriminals.
