People and processes for banking security

Issue 3 2022 Cyber Security, Security Services & Risk Management

Richard Frost.

South Africa is the third most-targeted country worldwide when it comes to cybercrime and it is no different with the local banking sector, which needs to ensure its systems are compliant with regulation and equipped to deal with the growing number of attacks while also actively educating both staff and customers on security best practices.

While end-users have long been targeted through identity theft and a variety of other methods, cyber-attackers are increasingly targeting organisations as well, including those in the banking and financial services sector. Often, they don’t target the organisation directly, with the major source of recent incidents being third-party breaches.

These large organisations tend to work with multiple external suppliers – or even other subsidiaries within a group – with customer or even employee data being shared between these organisations, this can be a security risk if not managed properly. This includes improperly gaining access to information that enables them to carry out social engineering and phishing attacks that are highly convincing and especially financially harmful to organisations.

If you look at a typical system in banking, it will consist of web servers, application servers and database servers, all of which communicate between each other. As an example, when you apply for a home loan online, you first go to your bank’s online portal (the web server). When you go to the specific section and apply for a home loan, an application server will then pull up all the information the bank has about you from a database server (or servers) and may even request even more information about you from credit reporting companies.

All of these systems are interconnected and need to be equally protected. All it takes is for one of these to be compromised before a cybercriminal can get access to the rest of them and as such, banks need to have stringent SLAs and security policy requirements for all their third-party providers. It’s known that banks need to ensure Payment Card Industry Data Security Standard (PCI DSS) compliance.

However, it is important that all the third-party providers that work with the banks are also compliant with this standard. The onus is on the banks and they have to look at what data they collect, where and how they store it, where and how they use it, where and how they distribute it and when they should delete or destroy it.

Addressing the human element

Another challenge is that the security efforts focus on the user experience side, or the front end. But, what about the back end? If someone can bypass your organisation’s security systems and get access to your databases, they don’t even need to worry about trying to log in as a user. Ransomware and malware that has compromised the system of someone who is a legitimate user can then carry out privilege escalation until it reaches a point where it can take over your server.

Here, it is critical that banks adopt the principle of least privilege and make use of a robust access manager that more deeply interrogates who is accessing your systems, why they want a higher level of access, what changes they intend to make and more, which thwarts automated malware requests that lack the intelligence to complete the process.

As has been made apparent time and again, the security chain is only as strong as its weakest link and this weak link is still the human being. User awareness training is one thing that the industry needs to place greater emphasis on.

It is crucial that banks don’t just put the right policies – such as PCI DSS, your IT policies, fair use policies and others – in place, but also train users to make sure they understand these policies, how it applies to them and to make them aware that they could potentially be the source of a breach.

And in the age of privacy regulations such as the Protection of Personal Information Act (PoPIA) and GDPR, these breaches are not just a source of bad publicity, or loss of trust, but could end up seeing banks having to pay huge fines and even have business leaders facing jail time. It is said that ignorance is often bliss until it’s a cybersecurity breach and your organisation is held responsible.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Governing cybersecurity from the top as a strategic business enabler
Cyber Security
C-Suite executives still do not take cybersecurity seriously enough, while boards are not nearly as engaged in cybersecurity as they are in other areas of oversight.

It is time to take a quantum leap in IoT cybersecurity
Drive Control Corporation Cyber Security
IoT has become integrated everywhere, including enterprises. While it offers many benefits, such as increased productivity and the rollout of mission critical applications, it can also lead to (enterprise) cyber-attack vulnerabilities.

What to do in the face of growing ransomware attacks
Technews Publishing Cyber Security Security Services & Risk Management
Ransomware attacks are proliferating, with attackers becoming more sophisticated and aggressive, and often hitting the same victims more than once, in more than one way.

Where does SA logistics stand as far as cybersecurity is concerned?
Logistics (Industry) Security Services & Risk Management
Lesiba Sebola, director of information technology at Bidvest International Logistics, says it is paramount to safeguard IT infrastructure given how central it has become to operations.

Can we reduce cyberattacks in 2023?
Cyber Security
Zero-trust cybersecurity strategy with simplicity and risk reduction at the heart is mandatory to reduce exponential cyberattacks in 2023, says GlobalData.

Key success factors that boost security resilience
Cyber Security
Adoption of zero trust, secure access service edge and extended detection and response technologies, all resulted in significant increases in resilient outcomes, as are executive support and cultivating a security culture.

Enterprise threats in 2023
News Cyber Security
Large businesses and government structures should prepare for cybercriminals using media to blackmail organisations, reporting alleged data leaks, and purchasing initial access to previously compromised companies on the darknet.

CA Southern Africa unmasks container security
Technews Publishing IT infrastructure Cyber Security
Adoption of software containers has risen dramatically as more organisations realise the benefits of this virtualised technology.

Shifts in threat landscape to industrial control systems
Cyber Security
Kaspersky’s ICS CERT researchers’ predictions include increased attack surface due to digitisation, activities of volunteer and cybercriminal insiders, ransomware attacks on critical infrastructure as well as the technical, economic and geopolitical effects, and the rise of potential vulnerabilities being exploited by attackers.

Advanced persistent cybercrime
Cyber Security
FortiGuard Labs predicts the convergence of advanced persistent threat methods with cybercrime. Advanced persistent cybercrime enables new wave of destructive attacks at scale, fuelled by Cybercrime-as-a-Service.