Cyberattacks – BFSI’s stifling nightmare. With the constant progress of IT infrastructure connectivity and the innovations in digital technologies, the processes and systems undergo tremendous automation but at the same time are extremely vulnerable to sophisticated cybercrimes. Theoretically, as a system gets more complex, it gets less secure. The complications in the digital systems have consequentially led to a change in the cyberattacker’s forms, functions, and sophistication.
Connecting with Pankit Desai, co-Founder and CEO, Sequretek, a Mumbai-based cybersecurity company, several insights on cyberattacks were discovered. It is quite alarming to note that co-op banks are the most vulnerable to cybercrimes of varied sorts.
Sequretek provides enterprise clients with an end-to-end simplified cybersecurity platform. The company’s products are designed on AI platforms and are capable of reacting to threats in near real time. The endpoint security product — EDPR – is one of the company’s recent launches. Sequretek boasts of being known in the BFSI sector for using unconventional ways to detect security breaches, using AI to spot an attack from miles away and stopping it before it can cause any real damage.
Pankit Desai in his discussion throws at us the grim reality of banks in India failing to invest and deploy in cybersecurity platforms and thereby succumbing to data breaches and monetary frauds.
Value chain partners pave way for sophisticated cyberattacks
Sophistication in cybercrime is known to be growing at an alarming rate globally. World over banks have woken up to the fact that their cybersecurity software needs to be agile enough to quickly detect and thwart attacks at a point before it even attempts to invade in order to protect data and funds. Hackitivists and cyberthugs are two words that are now becoming common terminologies in the sector. So, understanding where these cyberthugs find easy entry points in India’s banking sector becomes mission critical.
Initiating the explanation, Pankit Desai says, “We have to understand where the real challenge lies. Within the banking segment, we can divide it into 2 types of banks – top tier banks and co-op or scheduled banks. The top tier banks both private and public generally invest significantly in securing their systems. If you go a little deeper into the attacks that have impacted such large banks, they have mostly come from their value chain partners, who have restricted access to banks’ systems but are quite low on security at their end. Hackers use highly sophisticated methods and different kind of payloads to breach the defenses through value chain partners in order to impact the top tier banks. For any hacker, to make that kind of effort, would indicate some agenda driven forces at play or even state-sponsored cyberterrorism.”
If you go a little deeper into the attacks that have impacted such large banks, they have mostly come from their value chain partners, who have restricted access to banks’ systems but are quite low on security at their end.
“On the other hand, there are their poor cousins – co-operatives and scheduled banks. Volume wise, they are moving a sizeable amount of public money, these banks have already moved into the digital age when interacting with its customers using multiple digital touch points. They have also implemented CBS solutions across their branches. While on one hand, they are embracing tech but sadly they are not investing enough in their cybersecurity. As a result, we have seen many small size banks, e.g. Cosmos Bank, City Union Bank, have been breached,” reveals Desai.
They just come, steal info or data and leave, sometimes, banks don’t even come to know for weeks that they have been breached.
Desai says that even though there are clear RBI guidelines to invest in security, small- and mid-size banks do not make a financial commitment in the security space. They still face the same issue of size versus the ability to invest. For smaller organizations, it gets really difficult to carve money out to invest in technology and security. “This makes them easy targets where hackers don’t have to plan sophisticated attacks for months. They just come, steal info or data and leave, sometimes, banks don’t even come to know for weeks that they have been breached. In most cases, security investment hasn’t graduated beyond anti-viruses and firewalls; this is where the challenges come up.”
The worrisome trend in cyberattacks
“While most of the known breaches have been about taking money from accounts, but in a fair amount of cases, it is just violating the existing processes in terms of data exchange. In some cases, hackers’ job was made easy as organizations have been known to share data with their value chain partners in plain text. This is, in turn, caused the intermediaries to lose money because of poor data exchange design principles. In case where hackers have been able to carry out a ransomware attack fairly easily, banks end up paying huge amounts just to get out of such situations,” avers Desai.
“As we go down the chain, the percentage spend on security begins to shrink. Over the past few years, the BFSI space has seen significant changes in how they conduct business on account of technology transformation. For example, co-operative bank segment has seen core-banking technologies now implemented for all the banks or for that matter the new wave of fintech companies responding to the changing consumer is ‘born digital’. However, for both these segments, they seriously lack commensurate investment in security. Large Companies in the BFSI sector globally spend close to 4 – 8% of their IT budget on security and if smaller banks were to reach 2-2.5% of their IT budget, it would be a good starting point,” statistically points out Desai.
There is no one size that fits all. There isn’t an objective way of looking at what is the right product for an organization. It is always subjective and depends on the company, the whole motive, and appetite.
Cyberattacks are going to be a persistent problem for all digital organizations. This does not mean that all organizations blindly buy a common product that would curb attacks of all kinds. There is no one size that fits all. There isn’t an objective way of looking at what is the right product for an organization. It is always subjective and depends on the company, the whole motive, and appetite. What applies to larger banks in the country will not apply to smaller banks. Looking at the product feature set is probably not the right way to address a security problem. The best way is to have the ability to understand how you operate as an organization, how you create a security defense architecture. People, process and technology are the 3 pillars which need to work in tandem if we want good guys to win more. If one of them is compromised intentionally or otherwise, there is bound to be a damage.
“Product is one part of the cybersecurity strategy. In today’s age you have to assume, that more likely than not, a breach will occur. Ability to understand the kind of processes, tech, response mechanism, so that your people do not become the weak link is how you stay ahead of a threat,” warns Desai.
Integrated AI-based cybersecurity platform – the only solution
“The old saying – Prevention is always better than cure – fits really well here. Banks have become much more mature in terms of two subjects. First is to bring in as much automation as possible and reducing people dependency in the security. The way today security works has a fair amount of human intervention in making the technologies and product effective for an organization. The second subject is in the area of proactive defense especially with the Tier 1 banks. Banks today are seeking out hackers or threats proactively versus investing in creating defenses. Automation and proactive defense tactics are being used to take the fight back to hackers,” opines Desai.
The attacks are getting sophisticated each day and thus the approach has to be proactive. Interestingly, some of Sequretek’s scientists, download a virus knowingly…..
“At Sequretek, a managed center has been designed to monitor millions of attacks on a daily basis using Artificial Intelligence. The data scientists then study the incidents to find a similar pattern in their customers’ environment to identify if an attack is being planned. This helps them release a patch or a technical advisory to the companies to update any vulnerability in order to safeguard their networks and servers etc. We believe with ever-changing threat landscape, cybersecurity companies can no longer afford to be reactive. The attacks are getting sophisticated each day and thus the approach has to be proactive. Interestingly, some of Sequretek’s scientists, download a virus knowingly to take it apart piece by piece to find hackers’ signature in order to find the origin and intent of the virus,” shares Desai on Sequretek’s successful cybersecurity process.
Boardroom discussions on cybersecurity investments
Desai says that regulatory driven organizations already have a mandate to make cybersecurity a board-level topic. Market regulators have written to top 500 companies to identify security as a board level concern and invest in it accordingly. “The good part is that at the board level there is an appreciation towards security discussion and realize its changing nature. However, to what degree that is being followed through is still unknown,” says Desai.
Companies should also create a consolidated security policy. It is important to stay updated and revisit the security policies regularly to avoid any security breaches.
From understanding what Desai implies, companies in the BFSI sector first need to understand how the security risks for them have changed over a period of time, where the amount is being invested and most importantly how effectively the invested set of technologies are working for them. Lack of simple hygiene activity is far bigger a reason for security attacks to take place. A large number of attacks happens through tapping into rudimentary vulnerability. Regular security audits should become a part of the business operations. Small things like checking the last mile machine, if it has an updated security patch. Companies should also create a consolidated security policy. It is important to stay updated and revisit the security policies regularly to avoid any security breaches.
“I personally feel that the regulatory framework for banks in India is far more stringent and far more active than elsewhere, what we miss out is the need to proactively report security issues. It is considered a taboo to declare a breach if such breaches are shared, other organizations also realize that they are not alone and a cumulative action and regulations can be formed to avoid such threats,” concludes Desai with a powerful suggestion.