Safer Internet Day: Data Safety Essentials For Financial Services Industry

Thanks to the advent of computers, the internet and now digital banking, the financial services industry, which forms the backbone of economies, has been going through a transformational journey in the past few decades. The COVID-19 pandemic further accelerated this digital transformation, especially in India, for financial institutions as well as consumers. We are now looking at accelerated modernisation in payment systems that could take the banking experience to a completely new level. 

However, this transformation has also given rise to bad actors in cyberspace, who are posing threats to the stability and credibility of financial systems.

Cyberattacks, including short and long-term hacking, ransomware attacks, intrusions and data breaches, transfer of sensitive personal data into the wrong hands. This results in not just severe financial and customer losses but also irreparable reputational damage to financial institutions. 

According to the latest report by Check Point Research (CPR), cyber-attacks are increasing worldwide, with 38 per cent more cyber attacks per week on corporate networks in 2022, compared to 2021. Cybersecurity Ventures predicts cybercrime will cost the world USD 10.5 trillion annually by 2025, up from USD 3 trillion USD in 2015.

It is, therefore, pertinent for both companies and users to be aware of increasingly sophisticated threat vectors and the associated prevention mechanisms.  

Ransomware: Designed to damage or access computer systems and data, this malicious software is one of the most common tools of attack in the sector. Hackers use it to first lock out users by encrypting files, and then demand money for users to regain access to systems. With a cybersecurity strategy underpinned by snapshots and a rapid restore solution, recovery from a ransomware attack can be reduced from several weeks to just a few hours. This will minimise the impact on users, customers and potential reputational damage suffered from being offline for a prolonged period of time.

Social engineering and phishing attacks:  Usually perpetrated through emails, these forms of attack involve asking employees and customers to download attachments or click on links. These often seem to come from legitimate sources such as banking and credit card companies. It is always advisable to verify these sources, not reveal financial information over email, use email filters, install anti-virus software and firewalls.

KYC-related breaches: With financial technology assisting the generation of humongous databases under Know Your Customer (KYC) norms, data breaches have also become common. Exposure of such data leads to grave financial frauds, personal threats and identity thefts.  While users must be encouraged to implement measures such as two-factor authentication and biometric verification in their access devices, financial services companies must also ensure stricter security measures to identify and comply with processes around data security and protection.

Trojans: Trojans are malwares that can attack computer systems through unauthorised drive-by downloads from websites or deceptive pop-up windows. Such attacks come to notice when users experience slow page downloads, requests for unusual additional information from bank websites and login fails despite the use of right passwords. Users and companies can act preemptively by using only secure websites and ensuring their software and firewalls are up-to-date. Organisations can also go one step ahead and identify clandestine threats using traffic filter solutions.

For every such event, being prepared is of vital importance, as is acting quickly during and in the aftermath of the attack. There is no better way than to take proactive steps to strengthen defences and act swiftly to minimise the effect. Organisations should have an active patch management program in place to ensure readiness, besides using good data hygiene tools such as admin credential vaulting and multi-factor authentication. Also, to identify potential attacks, institutions can utilise a fast analytics platform for log data. 

While these threats are essentially technology-based, human error has been identified as the main contributor to cyber threats. The World Economic Forum reckons that 95 per cent of cybersecurity issues can be traced to human error, and that insider threats (intentional or accidental) make up 43 per cent of all breaches. 

It is, therefore, vital that organisations create awareness among customers, train employees to identify and avoid cyber threats, outline guidelines for acceptable online behaviour and perhaps institute penalties for negligence. 

What would help financial institutions, and eventually customers, is a clear cybersecurity plan in place that will serve as a blueprint for all departments to follow. It would also be imperative to explore investments in regulatory technology (Regtech) and supervisory technology (Suptech) to strike the right balance between prevention, mitigation and compliance.

Going forward, these measures will strengthen banking and fintech resilience, centre consumer data safety and promote responsible use of online technology, even as the sector readies for swift changes in technologies and ecosystems.