With the rise of digital adoption, transition to work from home and greater engagement through digital channels, many organizations have seen a drastic shift in their priorities. A key impact has been on rethinking cybersecurity practices to address the new risks and challenges. In this article, Babitha B.P., CISO, CSB Bank has shared the changes and transformation observed with the move to go digital from a BFSI lens.
The unleashing of the pandemic left the entire industry ecosystem in a shock and the banking sector was no different. Naturally, as most banks, we did not follow the concept of remote work and Bring Your Own Device(BYOD). Entrusted with the responsibility to ensure business continuity, our team adopted a hands-on approach to come up with solution with business understanding and to provide secure connection to banks network.
Digital Interventions by CSB Bank during pandemic
To enable work from home, we have provided dedicated VPN access with multi factor authentication, geolocation wise blocking, and time-based device locking. We have taken necessary measures to avoid data leakage by copying data from banks network by enabling security features for the same. Strong password policy and security measures are defined to avoid brute force, dictionary attack, Rainbow table attack and spraying techniques. In a nutshell, we introduced all the technological interventions and features required for a secure connection from external network. Digital interventions were not only driven by a security lens. The bank has also adopted door-step banking solutions even for gold loans and other advances which has been well accepted by our customers.
Regulators like RBI are taking extra care in the information security aspect of banks from 2016. Therefore, from then itself, CISOs od banks had started preparing themselves to improve the security posture as per the technological advancement and business needs. Banks today have all the latest security tools and technology to improve the security posture and cater to business needs in a secured way.
Cyber Attacks During Pandemic
From a cyber-attack perspective, the frequency of attacks has increased considerably during the pandemic. It is not that we are witnessing cyberattacks for the first time, but, undoubtedly, the number has peaked.
Exploring the nature of attacks, experts have concluded that 90% of the attacks have happened by exploiting the existing vulnerabilities or misconfigurations in the security tools. It is important for enterprises to understand that just buying a lot of security tools does not equate to a resilient and effective cybersecurity strategy. One should start the process towards security by identifying and patching all the known vulnerabilities in the system. Visibility of IT assets accessing banks network is very important as we can fix only what we know. Identifying vulnerabilities by VA and PT at regular frequency and addressing vulnerabilities is instrumental in heightening the security posture of the organization. Reviewing of security tools is very important, as any exceptions need to be relooked and removed if required.
The Cyber Threats for BFSI
When it comes to the financial services sector, especially banking, we know people are the weakest links and people have lost a lot of money during the pandemic due to cyber frauds. It is not because any banks got breached but it is because of the lack of knowledge around cybersecurity or cyber frauds. As a result of the sudden surge in the digitalization channels, People from diverse socio-economic and geographical backgrounds started using digital channels for their day to day transactions. Statistically speaking, if earlier 10-15 % was using digital channel now over 95% of the population is using digital channels for their day to day transactions.
However, the lack of knowledge about what should or shouldn’t be disclosed or how to safely operate these smart devices became a key threat in itself. Even smart phones and smart TVs are being used by cyber fraudsters to create different types of attacks on other organizations like DDOS attacks. Phishing, smishing and vishing attacks by frauderester in the name of vaccination, etc. has been on the rise. All these points to lack of awareness and hence, it is extremely important to create awareness amongst the public to bring the cyber frauds to a minimal level.
Understanding the Basis of Security
It is the visibility that counts. Ultimately, it is the shadow IT. Without knowing a system how we will secure it? How will we see whether it’s being patched or not? So visibility is the basis of security. Who is using what kind of devices that are available in an organization’s network? How far is it patched or who is using that? These are a few questions that help understand the basis of security. Furthermore, we even need to keep a tab on the user behaviour of that particular system. So, ultimately it is the assets or the IT devices, connected to the organization’s network, which determine its security.
The security posture of an organization is dependent on every connected device, even if it is a mobile being used by a customer. There are chances for the fraudsters to get into our system through their systems. Therefore, we also have to keep an eye on even the users’ devices who are using our software. There is a need to adopt a multi-layered security architecture right from the end points, the middle layer, network layer including Fintech, third parties or companies which will be helping us in deployment like ISPs who are leveraging the network connectivity to us and then the organization. So, from an organization’s perspective, a CISO should have thorough knowledge about all these things. On a lighter note, we should think like a fraudster to defend ourselves.
Moving to the Cloud: A Risk?
I have seen that most organizations, big or small, suddenly rushed to the cloud in the wake of the pandemic. While moving to the cloud can be an incredible asset for many organizations, however, whatever technology and security solution we adopt should be as per our business requirement. We have to see what kind of data or processes we want for this new business or new project to happen. Furthermore, we need to undertake a comparative analysis to understand how critical our data is and how well secured it will be. These are a few considerations that should drive our decision towards technology solution adoption. Moving to the cloud, just because other enterprises have may not be the wisest move. Unless we have enough expertise, skill set and the right infrastructure, I believe we should be cautious about rushing towards cloud adoption. The business requirement should decide whether we want to go for cloud or not.
When we are adopting a new technology or moving to the cloud, we should first have a clear idea why we need that technology or cloud solution, do a cost benefit analysis and above all security aspects of the data.
Sensitizing the Public and Customers
I strongly believe that to address the new security challenges, it is very important for the general public to be aware and sensitized about the potential threats in day to day activities. For instance, social media platforms are constantly keeping tabs on us, and it is the data which we are providing to social media networks which is being leveraged by hackers to get into or hack a person’s account or even into the organization. People sometimes share their official email Ids in the public domain which is a key risk area and may be used by the fraudsters to get into the system. Similarly, by disclosing our date of birth and other private information and even saving our card numbers and account details on other third-party Apps, we are becoming vulnerable to security risks. So, we need to strongly build awareness among public and employees with respect to cyber security and its responsibility of every one to be cyber safe.
Top Security Priorities for CSB Bank in the New Normal
In my opinion, cyberattacks will continue to exist and even increase and change their form and nature. Therefore, to ensure security practices for our organization, we believe it is important not only to prevent such attacks but also focus on how fast we detect and mitigate it. Now zero-day threats and supply chain attacks are common. So, as an organization, we will be concentrating more on building effective security practices including:
Promoting instant response with a strong incident response plan and team. Cyber incident response should start right from end users/employees, so incident response plan should be communicated across the organization. For instance, if an employee receives any phishing mail or if some malware has infected their machine, they should immediately contact the security team and inform them about the incident
- Focusing on creating awareness and sensitization among employees and customers.
- Conducting red team exercises frequently to understand the security posture of the organization
- Leveraging user behavior analysis and AI techniques to prevent and detect cyber incidents at a faster pace
- Gauging how effectively incidents are being captured
To conclude, I believe that exploring AI based technology and user based analysis is the need of the hour because attackers are equipped with more sophisticated technologies. They are increasingly using AI-ML based malwares which can identify, or which can penetrate the system within a few days. While earlier, attackers used to take 6-8 months to enter an organization’s network, the technological advances have significantly reduced the same. We need to accept the changing speed and nature of attacks and leverage more advanced and technology centric solutions to safeguard our organizations and ourselves.
About the author
Babitha B.P. is the Chief Information Security Officer in CSB Bank Ltd (formerly known as Catholic Syrian Bank) and the head of IT security, driving the IT security strategy and implementation forward whilst protecting the business from security threats and cyber-hacking. She comes with 20 +years of diverse Information Technology & security experience, building high-performance cross-functional teams that have consistently delivered excellent results. Babitha has held a series of roles in Information Technology for over a decade.
She has been a speaker and moderator in many international tech summits and conferences, and as speaker in many public forums Babitha has been honored with Exceptional leader of excellence by Women Economic forum, Cyber Sentinel Award 2020, CXO Tech Excellence award 2020 by CXOTV News Virtual Tech Summit and Award 2020, Best IT Leader Information Security and Risk Management by BFSI Innovation and Tech Summit, Defenders 100 Award by CISOCONNECT, BOLD CISO Award by dynamic CISO 2020, Top 100 CISO Award 2020 by CISO Platform and InfoSec Maestro Award 2019.