BFSI VISION | Cyber Security


Ramnath Iyer
Global Head, Corporate Research, CRISIL

Financial Institutions need to focus more on risk-based control implementation

What is your assessment of the cyber security governance issues in BFSI space
The Indian BFSI sector is fairly evolved in terms of cyber security. However, the evolution is driven more by regulations and directives than a felt need to increase security levels. As a result, the implemented security controls are assessed more through audits and not adequately through white hat hacking or vulnerability and pen tests. Due to this, the actual effectiveness of the security controls are not benchmarked across the industry. That said cyber security levels in India are among the best, and at par with those of more developed countries. Furthermore, the security levels are being constantly upgraded, and with access to the best brains and technology, we will continue to be among the countries that are less vulnerable to cyber-crime.

Cyber protection is only as good as the weakest link. What is the weakest link in India
System users remain the weakest link and the easiest way to compromise systems. Although there are a lot of controls available to restrict security threats emerging from users’ carelessness, implementation of these controls in an efficient and effective manner is still missing.

The recent spate of cyber-attacks are showing a worrying trend – we seem to be moving from simple phishing to more sophisticated attacks – how can we protect our banks
Again, protection will largely involve user education. Most Financial Institutions need to focus more on risk-based control implementation rather than event- or audit-based control implementation. In addition, the ownership of security-related activities should be shared between Technology, Human Resource, Finance, Legal, Administration and business units. This will ensure proper implementation and effectiveness of the different security controls that are implemented in the organisation. Regular reviews and proactive monitoring will help in improving the effectiveness of security controls that are implemented in the environment. Awareness campaigns related to cyber security for all employees, customers, partners, etc. on a periodic basis can help in improving the security framework in banks.

We have seen a profusion of devices and passwords. How can we ensure customers establish their identity easily across the devices
Employing two- or three-factor authentication mechanisms can help in establishing customer identity across devices, IP addresses and geographies. Real-time reporting of any event from an unknown device to the customer helps in detecting unwarranted activities. A review of devices mapped to the customer’s identity on a periodic basis should be enforced on customers to ensure proactive detection of truant devices. Finally, biometric passwords can improve security standards across devices.