People and processes for banking security

Issue 3 2022 Cyber Security, Security Services & Risk Management

Richard Frost.

South Africa is the third most-targeted country worldwide when it comes to cybercrime and it is no different with the local banking sector, which needs to ensure its systems are compliant with regulation and equipped to deal with the growing number of attacks while also actively educating both staff and customers on security best practices.

While end-users have long been targeted through identity theft and a variety of other methods, cyber-attackers are increasingly targeting organisations as well, including those in the banking and financial services sector. Often, they don’t target the organisation directly, with the major source of recent incidents being third-party breaches.

These large organisations tend to work with multiple external suppliers – or even other subsidiaries within a group – with customer or even employee data being shared between these organisations, this can be a security risk if not managed properly. This includes improperly gaining access to information that enables them to carry out social engineering and phishing attacks that are highly convincing and especially financially harmful to organisations.

If you look at a typical system in banking, it will consist of web servers, application servers and database servers, all of which communicate between each other. As an example, when you apply for a home loan online, you first go to your bank’s online portal (the web server). When you go to the specific section and apply for a home loan, an application server will then pull up all the information the bank has about you from a database server (or servers) and may even request even more information about you from credit reporting companies.

All of these systems are interconnected and need to be equally protected. All it takes is for one of these to be compromised before a cybercriminal can get access to the rest of them and as such, banks need to have stringent SLAs and security policy requirements for all their third-party providers. It’s known that banks need to ensure Payment Card Industry Data Security Standard (PCI DSS) compliance.

However, it is important that all the third-party providers that work with the banks are also compliant with this standard. The onus is on the banks and they have to look at what data they collect, where and how they store it, where and how they use it, where and how they distribute it and when they should delete or destroy it.

Addressing the human element

Another challenge is that the security efforts focus on the user experience side, or the front end. But, what about the back end? If someone can bypass your organisation’s security systems and get access to your databases, they don’t even need to worry about trying to log in as a user. Ransomware and malware that has compromised the system of someone who is a legitimate user can then carry out privilege escalation until it reaches a point where it can take over your server.

Here, it is critical that banks adopt the principle of least privilege and make use of a robust access manager that more deeply interrogates who is accessing your systems, why they want a higher level of access, what changes they intend to make and more, which thwarts automated malware requests that lack the intelligence to complete the process.

As has been made apparent time and again, the security chain is only as strong as its weakest link and this weak link is still the human being. User awareness training is one thing that the industry needs to place greater emphasis on.

It is crucial that banks don’t just put the right policies – such as PCI DSS, your IT policies, fair use policies and others – in place, but also train users to make sure they understand these policies, how it applies to them and to make them aware that they could potentially be the source of a breach.

And in the age of privacy regulations such as the Protection of Personal Information Act (PoPIA) and GDPR, these breaches are not just a source of bad publicity, or loss of trust, but could end up seeing banks having to pay huge fines and even have business leaders facing jail time. It is said that ignorance is often bliss until it’s a cybersecurity breach and your organisation is held responsible.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

The benefits of investing in whole-house surge protection
Smart Home Automation Security Services & Risk Management Residential Estate (Industry)
When you consider that the potential for equipment damage can run well into the hundreds of thousands of rands, whole-house surge protection is a worthwhile expense.

2022 Cloud Security Report
Cyber Security IT infrastructure
The 2022 Cloud Security Report reveals how security executives and practitioners are using the cloud, how their organisations are responding to security threats in the cloud, and the challenges they are facing.

Arcserve launches N Series appliances
IT infrastructure Cyber Security
Arcserve introduces N Series appliances offering enterprise-level integrated data protection, recovery and cybersecurity to allow customers to simplify their IT environments and secure data.

Are you your insider threat?
Technews Publishing Editor's Choice Security Services & Risk Management Commercial (Industry)
Insider threats are a critical aspect of risk management today, but what happens when it is the owner of the company acting fraudulently and making sure none of his staff can catch him?

Securing business information more important than ever
Cyber Security Products
SMBs need to operate safely within the physical and virtual boundaries created by work-from-home business practices, as well as in-office operations.

Storage is essential for a comprehensive cybersecurity strategy
Integrated Solutions Cyber Security
Cyber resilience is the ability of an enterprise to limit the impact of security incidents by deploying and arranging appropriate security tools and processes.

Malicious file protection for mobile devices
Cyber Security
The new version of Check Point Harmony Mobile, a mobile threat solution, can now block the download of malicious files to mobile devices, preventing file-based cyberattacks on organisations.

Passion, drive and hard work
Technews Publishing Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management
Colleen Glaeser is a leader in the security market, having made her mark in the male-dominated security industry through determination and hard work, along with a vision of making the world a safer place.

Turnkey data loss prevention solution
IT infrastructure Cyber Security Products
Acronis’s expertise in data protection and the managed service provider market yields an innovative, fast-track approach for the prevention of catastrophic data leaks.

The cybersecurity consolidation conundrum
Editor's Choice Cyber Security Healthcare (Industry)
Check Point discusses why less is sometimes more when it comes to securing your organisation from the innumerable cyberattacks happening every day.