BOI firmly ensures that any digital product is released only upon passing a series of thorough security tests. Card-less QR code-based ATM withdrawal is one of BOI’s latest innovative digital products. BOI has also provided a mobile app to prevent certain frauds by way of enabling the customer to deactivate his card when not in use, says G Naga Mohan, CISO, Bank Of India in conversation with Elets News Network (ENN).
How is Bank of India’s digital journey progressing?
Bank of India (BOI) has a deeprooted culture of constantly striving for customer service excellence and has always been a forerunner in its efforts towards improving customer satisfaction. It is obvious that digitisation has become a vital tool in such an endeavour, but not without its security-related facets. BOI firmly ensures that any digital product is released only upon passing a series of thorough security tests. Card-less QR code-based ATM withdrawal is one of BOI’s latest innovative digital products. BOI has also provided a mobile app to prevent certain frauds by way of enabling the customer to deactivate his card when not in use.
This effectively protects the customer against card-based frauds. Besides, BOI has also been in the process of thoroughly revamping its e-banking platform with several innovative and customer-friendly features. ATMs are being made more and more secure by constantly adopting improved security standards.
What ways are you implementing to curb information security risks?
Countless are the information security risks faced by financial institutions today. No measures are sufficient. A few measures taken are the renovation of the Security Operations Centre (SOC) with state-of-the-art technology and integrating it with numerous security solutions, mainly to address the new shift in security from prevention to detection and response. However, security awareness is one such risk that cannot be curbed by mere technical measures.
The biggest challenge in curbing the information security risk is wanting of awareness among stakeholders, viz., internal employees, third-party vendors, and of course, customers. According to a study, more than 90 percent of network breaches across the globe are caused by Phishing attacks. It is indeed painful to watch innocent customers losing their hard-earned money out of Phishing emails, Vishing calls. Smishing SMSes which are all social engineering attacks and this kind of attack can be primarily tackled by way of inculcating awareness. Inculcating awareness is a continuing process.
Customer awareness is attained through multiple channels of communications, viz., Facebook, Twitter, Bank’s website, e-mail, SMS, security pop-ups in mobile apps, posters at branches/ offices, on-site/off-site ATMs. Besides, many measures are taken to improve awareness among employees and other stakeholders.
Preventing third-party data breach would be tough. Your thought on this?
Yes, it is true to a great extent. In a recent study, it was shown that 63 percent of data breaches were linked to a third-party vendor that was responsible for system support, development, and/or maintenance. Having dealt with so many vendors for more than a decade, I believe that strong Service-level Agreements (SLAs) coupled with regular audits would address this issue to a considerable extent. Also, the implementation of multi-layer protection techniques and Database Access Monitoring (DAM) tools will help in the prevention and detection of related incidents.
As the CISO of the bank, what are the major threats?
As quoted by one eminent security professional recently, the top three major threats today are social engineering, social engineering, and social engineering. It may sound a bit of an overstatement but it’s right to a great extent and social engineering attack is stemmed from the ignorance of the victim.
If we look around without any pre-conceived ideas, we may easily notice that lack of enough cybersecurity awareness among the stakeholders is the chief cause behind most of the major breaches across the globe. Once adequate awareness is in place, most of the things fall in place. Some of the other issues are;
i. Not sticking to the basics of security is a major threat in itself. This includes insecure configuration and not applying security patches on time leaving the known vulnerabilities open. For instance, an Indian Coop Bank incident could have been prevented if the security patches had been installed on time which was released a few weeks before the breach. Despite the attack being very sophisticated, the breach of the network was very simple and could have been prevented easily had the basics been followed.
ii. Lack of control over third party risks.
iii. Having not enough practice in place to test existing cybersecurity measures on a regular basis. Best defined policies and processes may simply deprive us during the times of actual need, if not tested regularly
What innovations are you planning to implement in the bank to enhance cybersecurity?
Learning to think like a thief makes you the best police. I believe no innovation works if we are weak in basics. The following steps would be, I think, highly effective in enhancing cybersecurity in any institution and will be more effective than any innovation.
i. Sticking to basics: – Application of security patches on time, strictly implementing secure configuration coupled with disabling unnecessary services may look small steps but would play a great role in prevention.
ii. Continuous awareness campaigns for all stakeholders, viz., senior management, employees and customers.
iii. Having control over third party security practices: – Strong SLAs, regular audits, role-based access controls, multi-layer protection techniques, and Database Access Monitoring tools will considerably reduce relevant risk
iv. Regular cybersecurity exercises to test the defined security processes.
v. Having a strong backup system in place to survive Ransomware-like attacks.
vi. Shift towards detection and response: – According to a recent study, the average time the adversary stays and explores in the victim’s network before actually conducting the attack is about 220 days. As it has been accepted across the globe that 100 percent prevention is next to impossible, timely detection and effective response would complement the gap to a considerable extent. The banking industry today is decisively moving in this direction.