People and processes for banking security

Issue 3 2022 Information Security, Security Services & Risk Management


Richard Frost.

South Africa is the third most-targeted country worldwide when it comes to cybercrime and it is no different with the local banking sector, which needs to ensure its systems are compliant with regulation and equipped to deal with the growing number of attacks while also actively educating both staff and customers on security best practices.

While end-users have long been targeted through identity theft and a variety of other methods, cyber-attackers are increasingly targeting organisations as well, including those in the banking and financial services sector. Often, they don’t target the organisation directly, with the major source of recent incidents being third-party breaches.

These large organisations tend to work with multiple external suppliers – or even other subsidiaries within a group – with customer or even employee data being shared between these organisations, this can be a security risk if not managed properly. This includes improperly gaining access to information that enables them to carry out social engineering and phishing attacks that are highly convincing and especially financially harmful to organisations.

If you look at a typical system in banking, it will consist of web servers, application servers and database servers, all of which communicate between each other. As an example, when you apply for a home loan online, you first go to your bank’s online portal (the web server). When you go to the specific section and apply for a home loan, an application server will then pull up all the information the bank has about you from a database server (or servers) and may even request even more information about you from credit reporting companies.

All of these systems are interconnected and need to be equally protected. All it takes is for one of these to be compromised before a cybercriminal can get access to the rest of them and as such, banks need to have stringent SLAs and security policy requirements for all their third-party providers. It’s known that banks need to ensure Payment Card Industry Data Security Standard (PCI DSS) compliance.

However, it is important that all the third-party providers that work with the banks are also compliant with this standard. The onus is on the banks and they have to look at what data they collect, where and how they store it, where and how they use it, where and how they distribute it and when they should delete or destroy it.

Addressing the human element

Another challenge is that the security efforts focus on the user experience side, or the front end. But, what about the back end? If someone can bypass your organisation’s security systems and get access to your databases, they don’t even need to worry about trying to log in as a user. Ransomware and malware that has compromised the system of someone who is a legitimate user can then carry out privilege escalation until it reaches a point where it can take over your server.

Here, it is critical that banks adopt the principle of least privilege and make use of a robust access manager that more deeply interrogates who is accessing your systems, why they want a higher level of access, what changes they intend to make and more, which thwarts automated malware requests that lack the intelligence to complete the process.

As has been made apparent time and again, the security chain is only as strong as its weakest link and this weak link is still the human being. User awareness training is one thing that the industry needs to place greater emphasis on.

It is crucial that banks don’t just put the right policies – such as PCI DSS, your IT policies, fair use policies and others – in place, but also train users to make sure they understand these policies, how it applies to them and to make them aware that they could potentially be the source of a breach.

And in the age of privacy regulations such as the Protection of Personal Information Act (PoPIA) and GDPR, these breaches are not just a source of bad publicity, or loss of trust, but could end up seeing banks having to pay huge fines and even have business leaders facing jail time. It is said that ignorance is often bliss until it’s a cybersecurity breach and your organisation is held responsible.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Cybersecurity needs actual intelligence before artificial intelligence
Information Security AI & Data Analytics
Cybersecurity depends on interpretation. A tool can tell you that something unusual has happened, but people need to determine whether it is a genuine risk, the business impact, and how to respond without causing unnecessary disruption.

Read more...
Duxbury Cybersecurity sharpens reseller offering
Duxbury Networking Information Security News & Events
Duxbury Networking has strengthened its Duxbury Cybersecurity business unit by adding WatchGuard and Cynet, giving South African resellers broader, more integrated coverage for the security risks customers are now asking them to address.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
NEC XON detects and stops ransomware attack
NEC XON Information Security IoT & Automation
Ransomware attacks rarely begin with chaos. More often, they start quietly, with probing, mapping, and patient reconnaissance inside a target’s network. That was the situation facing a global recruitment firm when cybercriminals attempted to navigate its systems.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
Sara AI Pentesting available in South Africa
Information Security News & Events
Synack and Wolfpack Information Risk are offering Sara AI Pentesting to organisations across South Africa, helping companies move from point-in-time testing to continuous security validation with AI and human expertise.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
Cybersecurity in a digitally connected security industry
SA Technologies Information Security IoT & Automation
As more organisations move towards digital visitor management, cloud-based access control, mobile applications, biometric verification, and connected security platforms, cybersecurity must be viewed as part of the full security environment.

Read more...
Enterprises must prepare for digital conflict
Information Security
Cyberattacks can be launched remotely and at scale. A coordinated attack launched from anywhere in the world can disrupt supply chains, shut down utilities, or expose millions of customer records within minutes.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.