BFSI VISION | Cyber Security


Pratip Banerji
Director – Sales, BFSI, CA Technologies

Need for Technological Innovation are drivers for maximum SME’s

Given our ability in the information security sphere, why is Cyber Security a problem
Cyber-attacks have been the average talk when it comes to the issue of Security, but the true security professional and business leaders now know where the threat really is growing. Business was managed, but not as innovative or agile as it is today. As traditional ‘protection’ of data becomes yesterday’s security, the new era is one in which we exchange information to conduct business. As that line between personal and business connections blurs, these are trying times for information security. The threat vector is focused on data, information and more so data that enables profits for the people who seek it.

CA Technologies has been at the forefront of addressing security issues with wide variety of security solutions including Identity Management, Access Control and Authentication on your premise, as a service and as SaaS, enabling CIOs to tackle security issues at greater level.

Is security for SMEs a problem, How do we ensure security in MSME users?
What drives most SMEs is the need for technological innovation, to be at par with the industry or above and meet the customer demands. This is perhaps one of the most pertinent aspects of a SMEs growth in the today’s scenario and hence secure technology is top-of-mind for these companies. However, with tight budgets, it becomes increasingly difficult for SMEs to allocate resources towards IT Infrastructure. This perhaps is one of the direst issues an SME faces when it comes to securing their IT. For small and medium enterprises, it is extremely important to strike a balance between innovation and allocation of budgets with respect to enterprise security. Of course, every company whether big or small will always have a few cracks in the system and this is why SMEs have been increasingly coming under the threat of cyber-attacks.

However, this does not mean that the same cannot be controlled. To begin with, as budgets are usually tight for SMEs, it would be impractical to deploy a whole department towards maintaining this security. Enterprises should therefore assign this task to an IT partner with experience in security like CA Technologies. Secondly, SMEs need to sift through their data and decide what is critical for them and would need to be most protected. In doing so, they would be able to allocate fixed amount of their budget towards securing the data.

How do we extend it to the cloud
Enterprises are becoming increasingly aware about the need for cloud adoption. Industries such as BFSI have outpaced others. Being a consumer facing industry and a high data oriented business, BFSI is leading the cloud adoption trend. This is due to the large amount of sensitive data that a bank or financial institutions have. Also, with online payments increasing, the need for One Time Passwords is growing in order to safeguard these payments.

There are a few best practices to implement for BFSI organizations. Go with an established provider, know where your data is being stored, do demand strong Service Level Agreements and ensure you maintain strong oversight of your Cloud Computing provider and not merely see it as a one off contract but a regular milestone check, before you surrender systems to the Cloud. Test for breaches proactively, ensure new business models like citizen services do take effect before you invest and above all be proactive. Reactive Security is a big market for providers of the Protection Systems but often too late and thinking ahead when you build out it considered luxury, but is a need and a want now. The way people communicate, collaborate and do commerce in the digital world is changing, adapt to it, the Security of No has to become the Security of Know.

What metrics do BFSI players need to adopt for security
Banks have realized that if they want to manage next-gen cyber threats, their employees also need to gear up. Special training sessions on tackling security threats are being organized for employees and there are efforts to create awareness among customers through social media platforms. According to KPMG, majority of the banks continue to remain largely dependent on incidents being reported by their customers/ employees, highlighting the need for a real time incident management mechanism. Studies indicate that nearly, 80% of the banks do not have a separate privacy function. Banks should essentially align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information. However, the KPMG survey stated that not many are aware of privacy principles and entities for data protection. According to a PwC report, 86% of banking chief executives identify technological advances as the trend that will have the greatest impact on their business interests. As the magnanimity of threats is unpredictable, there is a need for more efforts to tackle those technologically advanced hackers. But what’s hindering the efforts is the limited understanding of the risks. As banks are required to manage massive data, IT managers are compelled to develop a risk appetite. Traditionally, banks in emerging markets have paid little attention to cultivating a risk culture, where employees feel encouraged to speak up when they observe new risks. A recent Mckinsey report explains that fostering such an atmosphere not only requires the involvement of a multitude of stakeholders, but also is time consuming.

Today with the adoption of technology and the penetration of online banking across the nation, the issue of security has taken prime importance. In lieu of this, Banks should develop and execute appropriate awareness/education programs about their e-banking products and services to ensure that a customer is properly identified and authenticated before access to online banking functions is permitted. For this purpose, they can use multiple channels such as websites, messages printed on customer statements, promotional leaflets, or direct staff communication through call-centres. At the same time, banks need to become an advisor to their customers and advise them on selecting robust passwords that cannot be easily cracked. The Board of Directors and senior management should establish an effective management committee to oversee the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage the said risks.

What digital forensic frameworks would you suggest for India? What would you suggest for mobile threats?
The Financial services industry has undergone significant changes in the recent past. The market has become highly commoditized and therefore, it is of prime importance for enterprises to be on top of things in order to not be lost in the crowd of the growing financial services market. To counter this issue, the financial services sector has been experiencing the benefits of digital platforms which has brought about a new flavour to this sector. However with digital technologies making in-roads into the financial sector, the issue of security is of grave concern and appropriate measures need to be undertaken to tackle the same. As such, we don’t have any digital framework in place, this is something which needs to be addressed at the earliest. However, some basic hygiene factors which we need to implement, include the following: The need to analyse how well technology will fit in with the enterprises operations. Also enterprises need to be clear about their strategy and ensure that it should complement and not complicate and compete with its offline interests.

With adoption of innovative tech models in the banking arena, there is an increased risk of threats. Therefore, it is essential for banks to ensure protection of information and maintaining customer confidentiality. As a result, there is lots to be done in this space. RBI has mandated banks to ensure technology used for mobile and internet banking is secure and offers confidentiality, integrity, authorization as well as authenticity. In line with the increasing mobile threats, it is essential for the IT department to implement policies which are critical within the prevalent BYOD environment. It is humanely impossible for the IT sector to monitor the end users personal devices but BYOD policies can educate users on what behaviours are acceptable and what are not. They should also specify what practices are not safe for devices that have access to the bank’s network. Also Mobile Device Management (MDM), allows one to easily manage and secure the end – user devices. Another effective way to avoid these threats is encrypting data, thereby making it inaccessible when a device is hacked into. By combining education, software tools and system updates, IT can ensure that they have taken the appropriate steps toward protecting the mobile systems and devices that are being used to access any bank information.