In the banking industry, security is one of the many foundations that must be strong because it oversees keeping the whole institution healthy. Depending on how far technology has come, the need to improve security in banking may change over time. After identifying the key security challenges and working to solve them, everything will go without incident.
Some of the biggest challenges in banking are…
- The cloud and public networks
Increasingly, applications with sensitive data are stored in the public cloud. Furthermore, identity onboarding process are also increasingly automated without human intervention. This increases the surface and opportunities for attack. Previously, all processes were manual, with data entry done on premises and systems completely isolated from the outside world and able to be protected physically.
- The human factor
Insider vulnerabilities remains one of the most serious risks to banks. Individuals, particularly high-privilege users, with a strong understanding of the system are especially critical.
Additionally, there are misinformed users with low security awareness who do not understand security regulations and expose the system unintentionally. Bad practices such as using weak passwords or being vulnerable to social engineering, are among the numerous avenues that are used to expose critical information.
- Vulnerable assets
Institutions sometime deploy systems that are considered safe or minor, such as IoT cameras, which are vulnerable. Worse, institutions sometimes do not have full awareness of all the assets that have been deployed and are vulnerable.
- Cost Concerns
Security can be expensive for an organization of any size. One main challenge is that the effect of security is never felt directly if properly implemented.
In this circumstance, the banks are obligated to safeguard the security interests of the suppliers to get the most comprehensive protection package. This enables financial institutions and fintech companies to check the security interests of suppliers as below:
- Clouds and the public network
A good implementation of the DevSecOps (Development, Security, and Operations) process is essential to ensuring security. Developers, security, and operations personnel should all work together in all aspects of infrastructure and product planning, development, testing, and deployment. Architecture wise, use tiering in applications to minimize exposure to the public cloud or network. Process wise, use automation as much as possible in the process to maximize coverage while minimizing human errors.
- For human factors
As part of implementing DevSecOps, ensure that strong passwords and multi-factor authentication are enforced, and train users to be more security aware. Separate or tier all decision-making processes with role-based access control such as the maker, checker/approver, and admin separation/tiering. This where the maker can only create the financial transaction but cannot execute it; the checker or approver can only view and approve the financial transaction but cannot change anything; and the admin can only create the maker and checker excluding the admin.
- Vulnerable Assets
The institution needs to strictly enforce the use of official assets that have been thoroughly scrutinized. Protect by hardening all assets that are in use within the institution. Understand the risk incurred of using unsecured assets such as a cheap cloud webcam
- Costs
Implement an approach to balance the cost of security. Implement a proper risk matrix and analysis based on classifications to determine the appropriate protection measure.
What is the security standard that can be applied?
There are various internationally recognized security guidelines and standards.
The Open Worldwide Application Security Project (OWASP) addresses various domains. OWASP is well recognized as a guideline and is free for institutions to implement the recommendations and procedures.
ISO 27001, Information Security Management Systems, or the ISO 27000 family of standards an international standard published by the International Organization for Standardization to manage information security.
Payment card institutions can also implement the Payment Card Industry Data Security Standards (PCI-DSS) to enforce security standards for handling financial and payment transactions.
Furthermore, there are also local laws or guidelines, such as Risk Management in Technology (RMiT) for Malaysia, Technical Risk Management (TRM) for Singapore, or European Banking Authority Guidelines on ICT and Security Risk Management.
INFOPRO can assist our customers on how best to verify security interest. INFOPRO already practices DevSecOps. INFOPRO is also ready to comply with processes such as OWASP, ISO 27001, PCI-DSS, or other scopes like RMiT and TRM.