In this new digital age, banks can innovate, expand their portfolio of services, and improve customer experience like never before. With greater opportunity, however, comes greater risk.
In reimagining their technology stacks and increasingly embracing both public and private cloud infrastructure, the industry is also unwittingly exposing itself to attacks from cybercriminals. Failure to tackle these new threats causes significant operational and reputational damage, so the banking sector – incumbents and challengers alike – has to act fast and ambitiously.
“It is a lot easier now than it is with a gun at a branch,” says Jonathan Donahue, VP and strategic growth leader for fintech and banking at WNS. “The Bonnie and Clyde era is over – you’re unlikely to get killed robbing a bank online.”
“Foreign adversaries are targeting banks in the US and Western Europe, where so much of the world’s wealth resides. Cyberattacks can happen to anyone, even the most sophisticated users of technology,” he adds.
The threat of cyberattack is not new, but it has been dramatically exacerbated by the Covid-19 pandemic and the growing number of consumers and bank employees accessing networks and services remotely.
“The biggest threat in the last few months has come primarily because people are working from home,” acknowledges Arvind Singh, lead associate data scientist at WNS. “That creates potential opportunities for cyberattacks and cloud sprawl. Organizations would not have seen that trend before Covid-19.”
Cloud sprawl is the uncontrolled proliferation of an organization’s cloud services or providers. The proliferation of entry points has emerged as a major challenge for CISOs in the age of remote working.
“This has given hackers more opportunity to enter a system,” Singh adds. “Companies have implemented tools to combat it, and everything is usually monitored through a centralised security environment, where every click of a button is recorded, but the problem has increased nonetheless.”
Reimagining security in the digital age
Digital transformation and advances in AI and automation are changing the scope and complexity of financial crime, particularly cybercrime. The demand on bank networks rises when they are being re-worked and re-imagined. Therefore, cybersecurity must also leverage new technologies to have a proactive security strategy in place.
“Financial institutions face a huge demand on their banking operations,” remarks Singh. “Many banks are now developing dedicated fraud investigation teams and automating their compliance operations. My team is also supporting fintechs in automating their operations.”
“When it comes to technologies, a huge change is happening,” he adds. “We are helping banks and fintechs identify opportunities within their platforms through APIs, bots, AI, analytics, and other tools – thus reducing false positives in the anti-money laundering (AML) space. Another huge change is outsourcing through a distributed model, and we are also seeing attack simulation become a key part of technology and assessment methodology.” It’s important to have a robust four-step risk assessment model to address the aspects of identification, assessment, mitigation, and prevention.
In assessing the risk of cyberattacks, banks have to look at their technological defences and the potential vulnerabilities of people within their organization. Many successful attacks arise from compromised login details or weaknesses in personal security rather than vulnerabilities in firewalls.
Singh has seen hackers make simple changes to security controls to remove a transaction from the high-risk category. By changing the classification of the originator of payment, for example, some payments can evade the usual stringent checks.
“Information leakage can happen through people, as well as through technologies,” he notes. “There is an operational element as well as a systems element. As a result, more businesses have started to create data repositories so that they can look at who is accessing files, especially back-end scripts.”
“Current security controls – anti-virus tools, authentication processes, and access control – can get hacked. Network monitoring, data repositories and intrusion detection that will block viruses are both important, but some attacks will be able to bypass them.”
Plugging the resources gap
In this new era of opportunity and risk, what can banks and fintechs do? For fintechs, part of the answer lies in addressing a potential vulnerability found in the basic premise of their market proposition – making accessing services as quick and easy as possible.
“I love fintechs, and I love working with them, and as a consumer, it is so much simpler to engage with them,” says Donahue, whose organisation recently launched WNS Finsible, a suite of banking solutions enabling fintechs to efficiently streamline, manage, and scale operations. “They are hiring WNS and people like Arvind to build the infrastructure to prevent fraud, because providing a simple experience for customers also means making it simpler for criminals to commit fraud.”
“If they simplify it too much and don’t protect the data, or if they don’t go through the first, second, and third reviews of each engagement, then they could lose a lot of money,” he adds. “They could face a lot of exceptions in processing and fraud claims. If fintechs grow too fast, they run the risk of losing a lot of money to fraudsters, which could have a ripple effect through the sector and cause valuations to drop.”
A key element in their response will be to ramp up the quantity and quality of their cybersecurity expertise for incumbents. However, this could prove to be a big challenge.
“Resource management is hard,” says Singh. “There is a skill shortage and a high attrition rate. At WNS, we already have the capacity, and strong, robust training models are in place. We can provide BPO services to our customers, who give us their work, to remove the headaches of monitoring skills development, quality, infrastructure, productivity, and more. It all becomes our responsibility.”
“Cybersecurity is a relatively new industry,” adds Donahue. “Few people are developing careers in this area, though the larger workforce is starting to respect it more as a critical business strategy function. Lack of available resources provides an advantage to firms such as WNS to pull in resources from around the world, and provide the expertise that is lacking in developed countries.”
The cloud reduces the costs of managing data in-house by leveraging third-party scale and technological know-how. Cloud services and BPO providers can access best-in-class technology to protect data and deliver the skills to stay one step ahead of the digital equivalents of Bonnie and Clyde.