Why rob a bank? Because that’s where the money is!
These days, however, physically robbing a bank may not be as rewarding given that banks typically invest in physical security including armed security guards, alarms and sensors, ability of law enforcement to respond in size that usually outnumbers the robbers, and a high risk of getting caught.
So the digital route may offer better risk-reward ratio. Consider that:
- Banks are where the money is
- Banks have an extensive network of branches, systems and processes – an architecture so complex that poking a hole in one area may reveal holes in other areas.
- The complexity of the banking infrastructure means it will take time before they even discover the theft – especially if you take an obscure route (like the Bangladesh cyber heist)
But that’s not what I am writing about.
The high dependence on technology, the prevalence of digital banking, and the speed at which banking transactions can now happen – all beg a look at what banks are doing to protect our money.
Some years back I met a spokesperson for the Financial Services Information Sharing and Analysis Centre (FS-ISAC) – Singapore chapter.
The FS-ISAC is a banking industry consortium dedicated to reducing cyber-risk in the global financial system. Take away all the technical jargon, one of the FS-ISAC’s charter is to encourage members to share information that will enable better digital protection for members.
With the Singapore circuit-breaker now extended for another month, people will have more opportunities to transact with their banks digitally. Afterall they still need money to make purchases, and loans aren’t going to go away – banks are not charitable organisations especially when it comes to customers.
FutureCIO spoke to Brian Hansen, executive director for Asia-Pacific at FS-ISAC on what its members are doing to protect customers during the COVID-19 outbreak.
How do you see the WFH directive impacting the delivery of financial services in Asia-Pacific?
Brian Hansen: Fortunately, many financial services today can be accessed online, meaning these services can be supplied and delivered remotely. This is especially true in Asia, which has outpaced the rest of the world in the transition to digital financial services.
The Covid-19 pandemic has contributed to rising demand for software, apps, and other technology that allow financial services to be accessed remotely, and many firms are accelerating efforts and plans to further digitise products and services. The main change for institutions is the rapid move to digitise employee operations.
One area that is customer-facing is the transition from physical documents and signatures to digitally signed documents. Firms will have to ensure their clients get comfortable with using digital signatures, as well as educate them to be able to distinguish authentic digital documents and signatures from possible fakes and scams.
This may be a challenge for clients without much digital experience. Even tech-savvy customers may have to adjust when it comes to using digital signatures for large transactions.
In fact, Asian regulators such as the Monetary Authority of Singapore (MAS) are stressing the importance of accommodating these customers; for example, by providing additional training to customer service agents as more people may be calling in with questions about mobile and online access.
Employee technology limitations present another considerable obstacle. Financial services require stable, high-speed internet connectivity, which may not be 100% reliable for employees working from home.
Financial institutions also rely on robust cybersecurity defences, which may be difficult or even impossible to replicate in a home environment. Firms will have to upgrade their technology and security infrastructure in order to successfully transition to large scale WFH.
As FSIs comply with lockdown measures, are extra precautions being implemented for WFH staff?
Brian Hansen: Our recommendations apply broadly to financial institutions implementing WFH policies, but individual firms must adapt their precautions and measures based on their needs.
Setting rules and monitoring is important. Options for staff to access the company’s network must be defined to ensure proper user-level and admin-level access.
Connectivity options include corporate devices with VPN, VDI, cloud workspaces, bastion hosts, and potentially even personal devices with corporate VPN and robust host checking. Firms must consistently monitor for unsanctioned data access and movement.
Data loss prevention and user behaviour monitoring rules need to be adapted for remote workers. This includes concerns around printing documents at home, usage of external storage devices, email forwarding and so on.
Security patching efforts must continue at a higher intensity along with updating remote access management solutions.
Firms must also recognise that remote staff need software to collaborate. The right collaboration tools and software must be made available, or staff may turn to unsanctioned services that could put them at risk.
Companies should review their risk management policies with regards to acquiring new software platforms. They may need to consider temporary measures or be less stringent with choices, while doing their best to maintain security.
Lastly, with the increased activity from cyber threat actors, it is essential that organizations continue to collaborate and check-in with ISACs and other intelligence sources to keep up to date on evolving threats and best practices.
Given that some of the larger FSIs may have thousands of staff, how do they ensure that employees are not unduly exposing companies to non-compliance?
Brian Hansen: These would remain the same, but with the exception that the scale of the initiatives would differ.
Many employees will face some challenges in maintaining proper security practices over a long period of time in a home environment. Thus, IT teams should over-communicate with staff, ensuring that how-to documents and FAQs are readily available.
IT, security, and HR contacts should also be widely shared and made easy to reach for staff who need support. Organizations should be sure to remind personnel about proper cyber hygiene as well as reemphasize what technologies and services are allowed.
While companies should ensure staff only use approved software and communication platforms, they can also maintain a means for employees to recommend new tools or software that companies could use.
Beyond that, it can be helpful to have supervisors and managers check in on staff regularly to ensure employees are following proper protocols. Leaders can spot check with questions or scenarios to ensure employees understand the security risks.
Do you anticipate regulators relaxing rules government (sic) the FSI sector in lieu of these lockdown measures?
Brian Hansen: More heavily regulated industries may have additional challenges because of regulatory requirements. We have seen increased interest and collaboration on best practices for implementation amongst our members in the financial services sector.
Many governments and national regulatory bodies have already relaxed regulations to minimise adverse impacts on financial institutions and to allow them to continue to operate. In Singapore, the announced on 7 April 2020 that it would ease capital and liquidity requirements on financial institutions in order for them to continue to serve customers.
Despite all being subject to the same regulation for the protection of customer data and keeping the lights on, not all FSIs implement to the same level of sophistication and practice. What will be the fallout for those that fail to comply?
Brian Hansen: Cyber threat actors are cognizant of the added vulnerabilities FSIs face with a largely distributed workforce working from home and are already showing themselves keen to exploit these unprecedented circumstances.
FSIs that do not implement best practices may find themselves specially targeted by cyber threat actors looking to exploit weak links in institutions that have not put in place robust protections to support WFH initiatives.
For those with not-so-deep pockets, what approaches can they pursue to protect customer data and the integrity of systems whilst observing WFH directive?
Brian Hansen: Many of the tips above do not require significant resources to implement, such as effectively communicating policies, procedures, and effective cyber hygiene to staff working from home. Smaller firms can also tap the knowledge and expertise of larger ones through participating in ISACs, where the most sophisticated firms share not only threat intelligence but also many best practices.
