Why humans remain key in banking cybersecurity

Find out why industry experts put a premium on the human factor in today’s digital times.

With email-based threats such as WannaCry leaving institutions across multiple industries weeping and reeling, the question of security is again thrust into the limelight. The single, yet highly effective cyberattack could very well be this year’s hallmark heist, and banks the world over—affected or not—face some tough questions. Are they still safe? Are customer information secured? Are their money accounted for? But through all these, the most important one is, “What should be done to prevent such a catastrophe from happening again?”

The financial industry in particular hasn’t exactly been safe from cyber threats. The Identity Theft Resource Centre notes that in 2016, the finance sector experienced 65% more attacks than businesses in other industries. Around 90% of all Asia Pacific banks also experienced attacks of varying degrees, from customers being tricked out of their money to hacks on system mainframes.

But whilst intuition dictates investing into the latest and greatest security hardware and software, banks shouldn’t be in a rush to acquire solely these assets just yet.

Humans versus machines
“Tackling cybercrime is a challenge for the whole industry, and there are no quick fixes. The threat landscape evolves by the day, and for mission-critical institutions such as banks, equipping themselves with rigorous employee training is equally—if not more—important than implementing the latest cybersecurity solution,” says Sharon Toh, head of ASEAN at SWIFT.

Sharing the same people-centric sentiment is Naveen Bhat, managing director of Ixia Asia Pacific. He says, “People are every organisation’s first line of defence, not the computers. Computers need to be managed under good hands or even they themselves will fail and open up an organisation to security vulnerabilities.”

Yes, technology by itself can’t address a bank’s cybersecurity challenges. In fact, the more technology a bank brings aboard, the harder it is to integrate, orchestrate, and manage the whole system. “More technology doesn’t mean better security. In fact, it probably has an adverse effect; as misconfigured security solutions may provide a false sense of security,” explains Itay Yanovski, CyberInt co-founder and senior vice president for strategy.

Yanovski also clarifies that even though it’s all about the people, “People (will) support the technologies and vice versa.”

People power
Ironically, whilst humans remain as a key driving force in security alongside machines, we still remain as one of the weakest links in the chain. Jeffrey Kok, CyberArk director of pre-sales for Asia Pacific and Japan, says that even just a well-crafted phishing email sent to an unsuspecting entry-level employee can bring an entire system down in matter of months. “From this initial entry point, attackers can use limited, local access to escalate administrative rights and move laterally throughout the network and—ultimately—gain complete control over the system.”

The solution is a simple one: educate and promote security awareness across the entire firm. “As many financial breaches come from within, from malcontents or compromised accounts, businesses should promote ‘cyber compliance’ as a core initiative, with secured, managed, and privileged accounts at the heart of the plan,” explains Kok.

The staff also need to be guided by security professionals dedicated to ensuring that the entire system remains vulnerability-free, even as the threats change each and every day. “Banks should continue investing in and retaining top cybersecurity talent, as it is a premium in this day and age. They should also provide their in-house cybersecurity staff more opportunities for external training,” comments David Allott, cyber defence director for McAfee APAC.

Number crunchers
The word “premium” should be noted in Allott’s statement above as these defensemen are becoming quite a rare commodity in the job market. In fact, according to Frost and Sullivan, the world will experience a shortage of 1.5 million in cybersecurity talent by 2020. Vikram Mengi, Latize CEO and co-founder, suggests that banks should bolster their artificial intelligence capabilities to mitigate the significant manpower deficit.

Combined with machine learning, predictive analytics, and semantic processing, banks can depend on AI to accurately detect suspicious behaviour in their networks even before an actual attack happens. The AI can then process the numbers and produce distilled data for humans. “We call this augmented intelligence—utilising machines’ processing strength and human’s innate thoughts to produce superior outcomes that is not possible when they’re both working in isolation,” says Mengi.

Though AI and machine learning are critical in cybersecurity strategies this 2017, Samantha Humphrey, ACI Worldwide senior fraud solutions consultant for APAC, says it still requires a distinctively human touch. Before it can work its magic, data scientists, risk analysts, and software engineers still need to develop the models required for machine learning systems to be effective and efficient.

The process is also not a one and done affair as machine learning algorithms can only improve so much by themselves. David Ng, Trend Micro lead for FSI and EDU, says, “Human expertise is also needed to evolve, adjust, and optimise security strategies over time.” He clarifies further, stating that CISOs and IT managers give machine learning systems the context they need—including bank-specific issues, current cybersecurity capabilities, and overall cybersecurity environment—to be effective. “All this cognitive thinking takes a human brain to handle,” Ng notes.

Humphrey also adds that “Cross-functional teams must strive to constantly enhance the relevance and performance of machine learning models, to ensure they remain effective as the payments landscape continues to evolve.

Cloudy with a chance of data exfiltration
With banks and financial institutions offering additional products and services to keep up with consumer demands, they are slowly becoming more and more reliant on cloud technology. As connectivity and digitisation increases, key data such as customer information, employee information, business and strategic plans, and the like are getting sent up to the cloud. Add to that the growing online and mobile segments, as well as the “Bring Your Own Device” phenomenon, and banks are swamped with the amount of sectors they need to keep their eyes on.

Alex Lim, Forcepoint SEA regional sales director and APJ channel and alliance director, says these present additional layers of vulnerability which attackers can take advantage of. “As critical business data and intellectual property gets pushed beyond traditional perimeter, security teams need to have deep visibility of thousands of user activities in the cloud, to understand user behaviour (End User Behaviour Analytics) and implement data loss prevention capabilities that stop exfiltration of valuable data.”

Network upkeep
Of course, having the best people would mean nothing if a bank’s cybersecurity equipment are potatoes. As such, Allott comments that investments in technology should continue rolling in. “Security can be built into automated tools and bots that simplify cloud security controls so that more people can effectively set and monitor their protections.”

David Poole, MYPINPAD business development director, also suggests improving backend systems for risk analytics. He says, “this will enable faster and more effective fraud detection, harnessing behavioural analytics, location recognition, and effective transaction reviews.”

Poole also stresses the need for an effective multi-factor authentication (MFA) system to verify employee and consumer identity. Whilst effective at keeping fraudsters out from the network right at the login stage, MFA measures such as one-time passwords can be easily compromised. Luckily, banks are already moving on to more stringent measures that combine stronger factors like PINs and biometrics.

He also says that strong authentication consists of three independent factors: knowledge (something only the user can know), possession (something only the user can have), and inherence (something the user is). Applied to banking, knowledge can be the PIN, possession can be a phone, and inherence can be biometrics.
“If there is a breach of one, the reliability of the others are not compromised. It is designed in such a way as to protect the confidentiality of the authentication data that embraces both computer and human factors,” Poole explains.

From Plan A to Plan Z
Attackers are always changing their tactics, scanning systems for the slightest hint of vulnerability that they can exploit. That being the case, banks will find it best to assume that threats are going to get in no matter what defences are in place. Therefore, they have to set up measures to ensure that these attacks remain contained until they are detected and addressed.

Tim Liu, Hillstone Networks CTO and co-founder, shares “A sound company policy is a must. Banks should identify key assets and the threats these face, formulating their own defense strategies based on these. Additionally, security professionals need to keep up to date regarding the latest trends in attack and defense technologies so they can address network vulnerabilities in a timely manner.”

He adds, “Enterprises should realise that system breaches are not a matter of ‘if’, but ‘when’ and a good incident response plan is the key to containing the damage.”
Bhat also points out that there needs to be closer cooperation between entities and authorities around the region to better secure the finance industry. He commends the planned Asia Pacific Regional Intelligence and Analysis Centre as a good step towards a community-based cyber defence approach. He says that it should encourage regional sharing and analysis of cybersecurity information within the financial services sector. The scenario is a win for everyone except the bad guys.

“In conclusion, for banks to better equip themselves in terms of cybersecurity they need to combine both the back-end and the front-end of their strategy but also human factors. With this multi-layered approach, they will strengthen their weakest links and be able to stop fraudsters in their tracks before breaches take place,” summarises Poole.