People and processes for banking security

Issue 3 2022 Information Security, Security Services & Risk Management


Richard Frost.

South Africa is the third most-targeted country worldwide when it comes to cybercrime and it is no different with the local banking sector, which needs to ensure its systems are compliant with regulation and equipped to deal with the growing number of attacks while also actively educating both staff and customers on security best practices.

While end-users have long been targeted through identity theft and a variety of other methods, cyber-attackers are increasingly targeting organisations as well, including those in the banking and financial services sector. Often, they don’t target the organisation directly, with the major source of recent incidents being third-party breaches.

These large organisations tend to work with multiple external suppliers – or even other subsidiaries within a group – with customer or even employee data being shared between these organisations, this can be a security risk if not managed properly. This includes improperly gaining access to information that enables them to carry out social engineering and phishing attacks that are highly convincing and especially financially harmful to organisations.

If you look at a typical system in banking, it will consist of web servers, application servers and database servers, all of which communicate between each other. As an example, when you apply for a home loan online, you first go to your bank’s online portal (the web server). When you go to the specific section and apply for a home loan, an application server will then pull up all the information the bank has about you from a database server (or servers) and may even request even more information about you from credit reporting companies.

All of these systems are interconnected and need to be equally protected. All it takes is for one of these to be compromised before a cybercriminal can get access to the rest of them and as such, banks need to have stringent SLAs and security policy requirements for all their third-party providers. It’s known that banks need to ensure Payment Card Industry Data Security Standard (PCI DSS) compliance.

However, it is important that all the third-party providers that work with the banks are also compliant with this standard. The onus is on the banks and they have to look at what data they collect, where and how they store it, where and how they use it, where and how they distribute it and when they should delete or destroy it.

Addressing the human element

Another challenge is that the security efforts focus on the user experience side, or the front end. But, what about the back end? If someone can bypass your organisation’s security systems and get access to your databases, they don’t even need to worry about trying to log in as a user. Ransomware and malware that has compromised the system of someone who is a legitimate user can then carry out privilege escalation until it reaches a point where it can take over your server.

Here, it is critical that banks adopt the principle of least privilege and make use of a robust access manager that more deeply interrogates who is accessing your systems, why they want a higher level of access, what changes they intend to make and more, which thwarts automated malware requests that lack the intelligence to complete the process.

As has been made apparent time and again, the security chain is only as strong as its weakest link and this weak link is still the human being. User awareness training is one thing that the industry needs to place greater emphasis on.

It is crucial that banks don’t just put the right policies – such as PCI DSS, your IT policies, fair use policies and others – in place, but also train users to make sure they understand these policies, how it applies to them and to make them aware that they could potentially be the source of a breach.

And in the age of privacy regulations such as the Protection of Personal Information Act (PoPIA) and GDPR, these breaches are not just a source of bad publicity, or loss of trust, but could end up seeing banks having to pay huge fines and even have business leaders facing jail time. It is said that ignorance is often bliss until it’s a cybersecurity breach and your organisation is held responsible.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Managed security solutions for organisations of all sizes
Information Security News & Events
Cyber attackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
The role of drones in farm protection
Agriculture (Industry) Security Services & Risk Management
Laurence Palmer reminds us of the role drones play in agricultural security and offers a free security risk assessment template for downloading (link at the end of the article).

Read more...
SMART Surveillance Conference in Johannesburg
Arteco Global Africa Technews Publishing SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...
Troye exposes the Entra ID backup blind spot
Information Security Infrastructure
If you trust Microsoft to protect your identity, think again. Many organisations naively believe that Microsoft’s shared responsibility model covers Microsoft Entra?ID – formerly Azure AD – but it does not.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Check Point launches open, vendor-neutral MDR services
Information Security News & Events Products & Solutions
New Check Point MDR 360° and MXDR 360° offerings deliver 24/7 managed continuous threat monitoring protection across endpoints, cloud and network environments with built-in identity threat detection and 160+ integrations across hybrid, multi-vendor environments.

Read more...
Credential theft surges in South Africa
NEC XON Information Security
NEC XON issues a critical cybersecurity warning about the dual threat of massive credential theft and AI-powered cyberattacks sweeping across the region, with an increasing number of incidents and evolving threat tactics.

Read more...
Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.