To protect their customers, Financial Institutions must prioritise API security.
Greater reliance on digital services presents more opportunities for cybercriminals to carry out identity theft, fraud, and unauthorised data collection. Therefore, to protect their customers, financial institutions must prioritise API security.
Intensified competition from digital natives and nimble new-aged fintechs has forced legacy banks and traditional financial institutions to reinvent themselves.
To address the challenges arising from the ever-changing market dynamics and customer demands, banks are leveraging emerging tech including artificial intelligence, machine learning, cloud, and Application Programming Interfaces (API).
In fact, API has enabled many large traditional private sector banks in India to re-architect their legacy systems to take control of their data and deliver faster, newer, better, and personalized customer experiences. Since the launch of Unified Payments Interface (UPI) in 2014, banks have also used APIs to create frictionless value-added services that include providing instant access to payment tracking information, updating KYC in real-time to integrating legacy systems to mobile, web and cloud solutions.
But while the utility in merging API with traditional banking systems is evident, they also bring a fair share of security concerns. These concerns may include breaches due to faulty authentication codes or injection flaws, where an attacker may relay a malicious code onto other systems. What’s more, poor programming done at the API level can have serious repercussions.
Any security misconfigurations at the programming level can be exploited as an entryway for cybercriminals to gain access to personal data, manipulate a transaction, or shut down a key service. Such data is of great value to attackers, who can not only sell the information on the dark web but also use it to carry out spear-phishing attacks, account takeovers, and even compromise business email systems.
Attacking systems and networks through APIs is a trend that is catching on the world over. In fact, as per a new study by Gartner, API attacks are set to become the most-frequent attack vector in 2022. In this context, another cause for worry is that most API attacks go unreported as they tend not to receive the same level of attention as well-executed ransomware attacks. Even developers and IT teams often relegate API security as an afterthought in a rush to bring them to the market.
Therefore, APIs, while delivering tremendous value, can also adversely impact banking infrastructures by considerably widening the attack surface for bad actors. As both enterprises and consumers progress into more digitized ecosystems, taking the necessary steps to minimize this attack surface will be essential to the cybersecurity of networks, everywhere.
This can be done efficiently only if security concerns are addressed during the design stage itself which is the primary by-product of DevSecOps.
DevSecOps, or shift-left security, brings IT teams and developers together to ensure that security is integral to the development process and, more importantly, permeates a culture of security throughout the organisation. In the current business environment, where security goes beyond endpoints, devices, and multiple cloud environments, a strong, security-focused culture is on track to become make-or-break for organisations, setting the stage for how they will perform in an ever-changing market.
On the backend, financial institutions need to integrate security into all stages of the software delivery process and ensure that they have visibility on their entire API ecosystem.
Financial institutions must also build customer trust and enhance anti-fraud measures by including customer education as part of their security strategy. Special care should be given to groups like the elderly, who may be more susceptible to fraud as new users of digital banking platforms. Such efforts can also be strengthened with government programs to spread greater awareness. In Singapore, for example, various government agencies worked in time to develop the SG Cyber Safe Seniors Programme to educate seniors on cybersecurity and cyber hygiene practices.
In addition, organizations must add API security to their inventory and assess the security of external-facing APIs. Monitoring and addressing any anomalous activities within API interactions is also vital.
To conclude, APIs inherently bring a great deal of simplicity, transparency, and innovation for banks. But if this endeavour does not include cybersecurity at its core, then any resulting data breaches could not only lead to severe financial loss, but also mar reputations and brand goodwill. This makes API security a crucial consideration and a must-have for banking organisations looking to make their mark in the customer experience domain.
[author title=”Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks” image=”http://”][/author]
