Learning from the best: Cyber-attack lessons from the BFSI sector

Reported by: |Updated: June 16, 2017

Nikhil Bagalkotkar

The banking, financial services and insurance (BFSI) sector in India is considered to be one of the most risk prone industries. As transactions and connectivity among consumers become more digitized, the risk profile continues to rise. The proliferation of mobile apps and data is fueling an increase in cyberattacks around the world, often because of vulnerabilities found in these apps and poor security practices of the app owners. Breaches are also becoming increasingly sophisticated and highly targeted, and are resulting in millions of dollars in damages and losses for organizations.

Forging a digital future, increasing productivity and therefore digitization, the Indian government is leading an accelerated online migration. The increased activity has attracted cyber criminals to this new fertile playground. India with its massive financial economy and equally active banks, has been attacked multiple times in the past causing serious concerns around their preparedness. One such attack that gained substantial traction witnessed over three million debit cards of prominent banks being compromised, jeopardizing customers’ private data. According to a recent survey on fraud in the financial sector conducted by Assocham and PwC, cyber attacks on major Indian banks caused around $20 billion in direct losses annually. This information provides a glaring picture of how security is no longer an after-thought and deserves to be prioritized.

Having said that, when breaches do occur, financial institutions are some of the quickest to respond, investing heavily in innovative, reliable and modern security systems.

Because banks and financial institutions acknowledge their duty of care to protect the highly sensitive data and confidential information of their customers, they have some of the most heightened security practices and infrastructures in the business. Banking is also one of the most highly regulated sectors, so safeguarding data is often a legal requirement.

Other sectors, including retail, manufacturing, education, healthcare, government, transport and logistics, and energy, can look to banks’ stringent compliance practices and best practice to inspire their own IT safeguards.

What specifically are these institutions doing so well and what can other sectors learn from them, to protect their apps and data from malicious hackers and safeguard their customer’s personal information?

The best security involves multiple layers

When it comes to IT protection, the more security layers an organization has in place, the more difficult it is for criminals to gain entry to their systems, apps and data. While multi-factor authentication can be circumvented with the right targeted malware, organizations across all sectors can still deter cyber criminals with more rigorous security systems in place.

Detection and prevention can protect against fraud

As well as strong user authentication tools, many banks offer two-way alerts which notify customers of suspicious activity in almost real-time, and let customers respond – to let their bank know if a transaction is legitimate. Alerts notify customers of unusually large transactions or transactions taking place in a foreign location. This is especially relevant for the retail sector, where online retail giants have been the victims of high-profile data breaches.

Retailers are slowly catching up and they are often seen adopting detection and prevention practices. Bricks and mortar stores can also adopt tighter security measures for their store-issued shopping cards, including PIN security and chip-based smart cards (which are already being used in Europe). Credit card fraud remains a massive problem can still be slowed with “smarter” safeguards.

Communication is key

According to industry experts, both private and public sector banks have increased their correspondence with their customers on the various alternative methods such as digital banking post the demonetization fiasco last year, in a bid to inform and educate them. This was essential in the face of the increased vulnerability of bank accounts to the threat of cyber attacks. The Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT) recently warned customers that it was aware of a number of fraudulent payment cases, where affected customers suffered breaches in their local payment infrastructure. SWIFT quickly launched an initiative to share cyber threat information with customers to help them protect their own environments from intrusions and malware. Other sectors can learn from banks’ improved communications to, and education of, customers, as well as swiftly reacting when an attack occurs. No matter the industry, trusted communication is key for customers to feel protected and valued.

The finance sector is constantly being challenged to fight cybercrime and, given the potential financial gains from successful attacks, the battle with malicious hackers is likely to rage on. However, banks employ some of the most rigorous security tools, technologies and services, and other sectors can look to these trailblazers for best practice. Multi-layer authentication tools, detection systems and customer communications are just some of the cyber safety lessons that apply to all sectors, in order to better safeguard mobile apps and protect customer’s personal information from key vulnerabilities.

From a business perspective, a ‘new normal’ of security is required – one where IT risks are communicated in business terms and IT safety is backed up by the right technology infrastructure and installations.  This will help empower organizations to achieve compliance within their sector. According to an Assocham-PwC joint study, the number of cyber attacks reported between 2011 to 2014 under the IT Act, 2000, surged approximately by 300%. Conclusively, cybercrimes pose a serious threat to companies, leading to significant business implications and bad press. Ultimately though, absorbing best practice from industry leaders allows companies to increase sales, save time, cut costs and foster better connections with customers.

  • Nikhil Bagalkotkar is chief technologist at Citrix