Paul Ferris, Head of Technical Consultancy at Diebold Nixdorf
Connectivity means financial service providers can have a wider customer reach than ever before – but with more touchpoints comes a greater potential for complexity, and also an increased risk of security breaches. An integrated approach has therefore never been more important, and security must be at the heart of this, particularly as new innovations come into the fold. Ever-growing concerns regarding fraud mean that security remains high on the agenda and should therefore, lead every operation and every innovation. It’s an issue that has a global reach with fraudsters potentially operating completely remotely, with a criminal pushing buttons on one side of the world impacting an organisation on the opposite side of the world within minutes.
Security snapshots, ad-hoc fixes and a diluted focus simply do not work, with the potential for attacks present within every part of the industry’s ecosystem. Banks are under pressure to defend consumer information and sensitive data from direct first-hand attacks. For example, 2017 saw seven UK banks targeted by a coordinated cyber-attack, forcing the banks to reduce operations or shut down entire systems. The DDOS software that could be rented for a mere £11[1]cost the banks’ hundreds of thousands of pounds.
As the digital landscape expands, data is becoming as lucrative as physical money and a new way of thinking is needed. Attacks are relentless and as one threat is shut down, it is only a matter of time until another organised attack looms, highlighting the importance of fit for purpose defences to protect systems, companies and customers. Simply complying with regulations is not enough and financial institutions should be moving from a position of simply maintaining compliance to a more proactive security-first stance.
Below are the key areas and steps banks should, therefore, be following to seize 2019 as the ‘year of security’:
1. Security first ethos – A security first culture and approach should be embedded at every touch point. This includes ensuring partners or third-party vendors live and breathe the same security ethos to deliver customer-first goals. There is a clear difference between ticking off security requirements for compliance versus putting security as the top priority. It is not just about using readily available policy templates; a security first culture means all processes are built from the ground up and tailored to the needs of the business – and most importantly its customers. Businesses require a dedicated security professional to see this through.
2.Education, Education, Education – Once this culture has been established, processes to bolster security must become engrained within an organisation. These processes can be used not only to educate staff, but also to place importance on the need for staff to educate customers with every interaction and touch point. This includes making customers feel empowered to protect their own data too.
3. Contingency planning for ‘when’ security is breached – Planning and preparation for potential attacks is vital, no matter how unlikely an attack may seem. A contingency plan can act as a lifeline when the security of the organisation is at risk. Once in place, financial institutions should run mock cyber-drills and practice implementing contingency plans. The ability to act quickly and decisively when an attack takes place is crucial to damage limitation and protecting brand reputations.
4. Adopting new tech – Not only can machine learning and Artificial Intelligence (AI) be used to identify anomalies before they become a bigger issue, but this technology can also be used to create efficiencies and promote productivity within an organisation to fill any resource gaps. The days of employees studying physical reports for irregular customer behaviours are becoming a thing of the past thanks to innovative new technology.
This provides organisations with the tools to detect abnormal behaviour and make a swift, informed decision about what action to take. For those that aren’t quite ready to use automated technology to monitor for anomalous behaviour, automation to support associated activities is a good place to start before they’re ready to take the next step.
5. Constant evaluation – No matter how much time has passed since a live threat has been detected, financial institutions must ensure they are constantly assessing and reassessing industry threats. This information can be used to ensure that internal security models and contingency plans are up to date, and the entire company is always on alert – no matter where in the company an employee’s role sits.
Security threats are no longer a question of if, but when. Financial institutions must take a proactive stance to survive the exciting, yet unpredictable, digital climate. If you fail to prepare, you must be prepared to fail.