Banks and other financial institutions have always been a magnet for cybercriminals out to make a hefty payday by perpetuating various online scams such as money laundering, credit card fraud and personal data leak to name a few.
In Southeast Asia alone, several high-profile banking hacks have drawn significant negative publicity in the past 12 months, jeopardising the industry-wide push toward digital banking.
Early this year in Singapore, customers of DBS and POSB saw unauthorised withdrawals of thousands of dollars from their accounts due to a “click-free” phishing scam. Likewise, during the same period, OCBC customers also reported losing as much as S$100,000 – with some seeing their savings wiped out – by an SMS scam that asked them to click on a link to prevent being locked out of their accounts.
In the Philippines, 700 BDO bank accounts were hacked before Christmas last year, with an undisclosed amount illegally transferred to fictitious accounts at Union Bank. Unlike previous incidents, victims did not click on phishing links or unwittingly gave away their OTP data. Investigations made by the country’s central bank revealed that the hacking originated from a compromised web service.
Indonesia’s central bank itself was targeted by cybercriminals with a ransomware attack last December, but Bank Indonesia was able to implement mitigating measures to foil the attempt. No data leak occurred, and no public services were disrupted. DarkTracer, a platform that monitors and traces malicious activities online, said that Bank Indonesia was on a target list of cybercriminals using a malicious software dubbed “Conti”.
According to the latest Fitch report released in June, the increased digitalisation of the financial sector across the region amid the COVID-19 pandemic raises the risk of cyberattacks that could cause reputational damage and affect the banks’ viability ratings.
“Banks across APAC have been digitalising their service offerings at varying paces and the imperative to do so was accelerated during the COVID-19 pandemic when service channels overwhelmingly moved online. Faster adoption of digital banking presents new business opportunities and banks that managed the transition well have reinforced their business profiles compared with competitors,” the report said.
“However, increased digitalisation also amplifies the technology-related operational risks that banks face and can expose them to reputational damage that weighs on their franchises. Cases of technological failure in APAC since 2016 have shown the potential to transform into wider financial risks that have an adverse impact on bank ratings,” it added.
With technology today playing an essential role in facilitating banking services and providing the digital tools necessary for interaction between customers, employees, and other stakeholders, it is imperative for industry players to re-examine their cybersecurity posture to ensure protection against potential threats without hampering seamless business operations.
To determine the cybersecurity readiness of financial services companies in the region, Red Hat and Intel initiated a three-part survey that polled senior technology and security executives across five countries in Southeast Asia – Indonesia, Malaysia, the Philippines, Singapore, and Thailand.
The survey, conducted by FutureCIO, was unveiled recently in a virtual roundtable dubbed “Rethinking cybersecurity to support your digital transformation”. FSI executives, who head their firms’ technology and cybersecurity operations, joined the event to share additional insights into the questions raised in the online poll. All participants also came from the five countries included in the survey.
The majority of the participants have the challenge of securing the hybrid IT infrastructure in their respective organisations as computing resources and digital assets reside on-prem and in the cloud.
“Hybrid is the predominant strategy with most organisations, and it makes sense because you want to have the best of both worlds,” said Christopher Tan, global partner revenue acceleration director, APJ at Intel. “You want to have the flexibility, the agility, the cost benefits of cloud; but at the same time, there are some parts of your IT infrastructure – your data and your applications – that you still want to keep on-prem for many reasons from security, privacy to data sovereignty”.
Choosing the right cybersecurity approach
A majority, comprising 38%, of survey responses, claim to deploy monitoring tools to detect and mitigate cyberattacks. Among the countries included in the survey, the Philippines outpaces its peers in this category, followed by Singapore in the second spot. India and Malaysia both ranked third, closely followed by Thailand.
This predominant use of monitoring tools reflects the reality on the ground. With the expanding threat surface as well as the growing sophistication and frequency of security incidents, protecting an organisation from both external and internal risks has been an uphill battle. Cybersecurity as a round-the-clock task can only be managed effectively through automated monitoring to complement an overextended workforce, particularly amid the acute shortage of IT security professionals.
Twenty per cent (20%) of responses put the cybersecurity burden on external partners – relying on software and cloud providers – to secure their organisation’s applications and data; while 9% said to adopt the ad-hoc approach of detecting and patching security holes and vulnerabilities as they found them.
What’s interesting is that close to 33% of the total responses noted their financial institutions have put into practice the security by design principle, where security is built into every application from development to deployment. The figure is nearly as much as – only five percentage points from – the percentage of responses (38%) that say they rely on monitoring tools to detect and mitigate cyberattacks.
The survey results show that banks across the five countries are starting to have a more expansive view of cybersecurity and have taken a multi-pronged approach to protect their applications and data. Nearly a quarter (25%) of respondents are using two or more cybersecurity measures listed in the survey. From this figure, the Philippines and Singapore came out on top in having a well-rounded cybersecurity approach with 36% respectively, followed by Malaysia with 12%, while Indonesia and Thailand each have 8%,
At the roundtable, the majority of participants agree that banks need to forge several cybersecurity measures together into one holistic approach to safeguard their digital assets.
“As a security professional, there are three things you have to do: identify your security principles – that’s where security by design comes into play; then, you deploy monitoring tools to detect potential threats; and once a vulnerability is discovered, you have to make a fast corrective action by patching the security hole,” said a Singapore-based participant who is vice president for IT for a multinational bank.
Survey results show, however, that banks in the region still need a nudge to broaden their cybersecurity posture, as 75% of respondents say their organisation only has one approach for guarding against potential threats. Of this number, 24% have placed the responsibility of securing their organisation in the hands of their cloud and software providers.
“CISOs always talk about it's a shared responsibility. But basically, it is their company’s assets, and they still must be responsible for that. You can’t ship that out to someone else to take responsibility with,” said Tan of Intel. “I think all CISOs understand that while you can ship out your data – or maybe some of your application services – to a cloud provider, data security resides remains with you as the owner of the data.”
Among respondents whose respective companies have taken only one cybersecurity approach, it is notable that 39% picked using monitoring tools as their preferred mode of protection while 36% have adapted security by design, building security into their organisation’s software development, as their sole method of defence against cyberattacks. These echo the overall results of the survey, where there is a very narrow gap between those who preferred one cybersecurity over the other.
One participant at the roundtable pointed out banks that keep 40-year-old legacy technologies alongside newer systems must deploy a blended cybersecurity strategy to secure two separate sets of business processes, which run in parallel. “We operate a bimodal model. We have our mainframes on one side, and on the other side, we have our mobile banking site where Kubernetes is used for software development and deployment. It’s two different technologies and we have split teams to manage these systems. We straddle between two worlds and there is a different cybersecurity approach for each one. We have built a big bucket of budget on monitoring for both worlds,” he said.
