Protecting Digital Assets: Key Challenges for Cybersecurity in Financial Institutions
Security has long established itself as a primordial need for Mankind, often defined as the condition of being protected from or not exposed to danger. While the elements comprising this feeling of safety have continuously evolved throughout history, they remained mainly related to the physical or material dimension until now. As technology shifts the paradigm of modern and future societies through the widespread inclusion of digital elements into our daily lives, the concept of security as we know it has been undergoing considerable changes.
In a highly digitalized age when information is not only the most valuable asset but also easily accessible at any time, place, or device, new security concerns arise, namely regarding safeguarding and protecting digital data, networks, and systems. Cybersecurity has become the word of order for any business or company with digital channels, but even more so for those whose offerings are entirely developed and deployed in virtual environments. With so much sensitive information, both private and corporate, circulating the digital space, there has been an increase in cyberattacks with the intent of accessing, altering, or destroying data but also disrupting essential services and infrastructures.
Are banks prepared for the New Wave of digital threats?
As the prime targets for cybercriminals, banks have been at the forefront of cybersecurity for years, aiming to protect the vast amount of sensitive information from their clients, both personal and corporate. However, variables such as the increasing number of user-operated devices, the high adoption of digitization to create unique customer experiences, and innovative hacking strategies have drastically raised the threat level, further enhanced by the disruptive regulatory landscape of the banking industry.
The requirements for PSD2 Compliance and Open Banking implementation, despite being a significant step for consumer rights and banking transparency, pose major threats as third-party providers gain access to consumers’ banking information. These API infrastructures provide prime targets for cyber attacks as most traditional security systems have proven inadequate at keeping them secure and inaccessible.
Other major trends in banking security for 2019, as predicted by BitSight, include:
- Mobile Apps and Web Portals – As the go-to choice for clients to process payments and transfers, apps and Internet banking interfaces still present major security flaws. So much so that a report from Positive Technologies ranked the financial sector as “the most vulnerable to attack.” Similarly, in a 2018 study conducted by Accenture, security risks were found in 30 major banking applications.
- Third Parties – While most banks invested in protecting their systems and networks, they could not successfully monitor those of the third-party vendors they have come to rely on daily. Watching vendors for security vulnerabilities is mandatory moving forth.
- Cryptocurrency Hacks – With many banks aiming to start trading cryptocurrency in 2019, questions regarding the security of digital currency have arisen. Considering recent events where financial institutions have been hacked and robbed of millions of dollars worth of cryptocurrencies, a new approach to security is in order.
The truth is that there seems to be a wide gap between awareness and active preventive measurements when it comes to Cybersecurity. Studies show that despite 82% of companies reporting their board members being concerned or very concerned about Cybersecurity, operational implementation of security protocols is underwhelming at several levels: the company’s internal security structures have not matured, security teams get involved in digital transformation projects too late or not at all and last but not least, only 43% of said board members lead by example and follow good security practices (source: ISACA).
“97% of companies have been a victim of digital attacks, and yet only 22% are prepared to deal with incidents in the future” – source: i-scoop. eu
So…Can a Digital Transformation process be secure?
As the financial landscape is being reshaped to adapt to client and regulatory demands, Going Digital is no longer a choice. As such, the question banks and credit unions are facing is not whether they can take the risk associated with digital processes but rather how they can prepare in advance and minimize vulnerabilities. Besides the change in internal culture and strategies to implement security measurements in-house, the same or even more strict demands must be required from all third parties and vendors involved in the Digital Transformation of traditional banks.
As a prime Digital Transformation enabler, ebankIT has been addressing the subject of privacy and security from an early start, continuously improving on each new update of its Digital Banking Platform. As of the latest version, we’ve managed to address the most pressing subjects regarding current Cybersecurity concerns by continuously improving our architecture and gathering client feedback. Below is a brief breakdown of how our platform is prepared to face each risk-heavy aspect:
A more significant amount of sensitive digital information circulating between providers
Looking into the threats associated with sensitive digital information, there are three key moments to consider: when we move it, use it, and store it. Regarding transportation, our solution provides data encryption of all sensitive information communicated between our apps and services. This provides an extra layer of protection, managed by us, even if the transportation layer is partially compromised.
When we access sensitive data on an authenticated omnichannel session, it is protected by the authentication itself because it is volatile and only temporarily stored on banks’ internal systems that periodically purge information from previous sessions.
Lastly, our platform allows financial institutions to meet PSD2 legal requirements, translating into higher encryption capabilities on stored information.
Higher than ever number of user-operated devices (several per user)
With so many digital devices operating at once, it’s critical to receive accurate real-time information about each one and make it possible to monitor any potential anomalies. Our platform integrates with highly specialized fraud detection systems, allowing for adaptative authentication. Based on this external information, certain operations may be considered high-risk, so we require a second-level authentication to complete said operation. This can be provided by us or integrated with a third-party provider.
Additionally, users can monitor all mobile devices that use their access and immediately block them in case of a security fault. They can also activate access-related alerts, receiving notifications whenever someone tries to authenticate with our credentials.
Cybercriminals are becoming increasingly complex and innovative.
To face the growing Cybersecurity threats, we must stay one step ahead of the game. Innovation is key, and integrating with external systems allows us to continuously improve by adopting the latest developments of specialized systems. Our platform can use machine learning to validate behavioral patterns through said systems and use their feedback to determine which actions to take at each moment regarding authentication.
We also work closely with Cybersecurity Experts and Consultants whose sole purpose is to keep up with all the latest developments in terms of digital security. Not only do they provide us with valuable insights, but they also conduct sophisticated vulnerability tests on our platform. Finally, we continuously articulate with our client’s security teams (both internal and external) to gather additional feedback and recommendations.
PSD2 Compliance and Open Banking will make API infrastructures prime targets
While exposed APIs may become a target, these regulations already impose stricter security criteria than before. A prime example is the obligation of Secure Customer Authentication (SCA), which consists of a multi-factor authentication focused on three categories: knowledge – “something only the user knows” (passwords, etc.), possession – “something only the user owns” (OTP sent to the client’s mobile) and inherence – “something only the user is” (such as biometrics).
These standard security requirements will not only force service vendors to implement them in their solutions but also make Financial Institutions more aware of the need to invest in specialized fraud detection systems to avoid the exploitation of APIs.
From a client’s standpoint, it’s also worth mentioning that these third parties can access their information only through their explicit consent. Our platform allows the validation of said consent through standard security protocols.