Emerging security risks for banks: Trouble begins at home in most cases

An article by Kiran Shetty, CEO & Regional Head- India and Sub-Continent, SWIFT India

Malicious insiders need to be considered just as much as any external threat. The cybersecurity threat is serious, concerted, sophisticated and it constantly evolves.

Cybersecurity must be a priority

Networked technology is introducing huge benefits to the economy, trade and society – making hitherto unthinkable advances, and enabling banking to reach the previously unbanked.  The inroads and advances that have been made in India and introduced in India are outstanding – just consider how much mobile banking has done here. But the risks the networked world brings can’t be ignored: security is key to ensuring that we reap the advantages of these advances.

The financial sector has invested hugely in security – and is arguably among the most advanced economic sectors when it comes to the use of IT. Logically also, the industry is amongst the most advanced when it comes to IT security. But clearly there is more to be done. Malicious insiders need to be considered every bit as closely, for instance, as external threats; and we have to be aware that the cybersecurity threat is serious, concerted, and sophisticated. It constantly evolves, and our security behaviours have to evolve with it.

At SWIFT we take cybersecurity very seriously: it is core to the service we offer – a secure and reliable communications channel to facilitate message exchange between our customers. Day-in, day-out, more than 11,000 customers in more than 200 jurisdictions around the world rely on us for their messaging. We have an unrelenting focus on our security, and have had this since our inception, 40 or so years ago.

And that is not all. While all customers are responsible for protecting their own environments, we have established a Customer Security Programme (CSP) to support customers in the mounting fight against cyber-attacks. Launched in 2016, the programme is designed to assist customers in protecting and securing their local environments; in preventing and detecting fraud in their commercial relationships; and in sharing and utilising fraud-related information to defend against future cyber threats.

We have been heavily engaged with our customers all around the world, both in developing and in rolling out this programme; running workshops; roadshows; webinars; roundtables; training sessions and more, raising awareness and ensuring the programme and its tools are properly understood and adopted. Over the last 18 months in India alone we have run multiple events in Mumbai, including six security bootcamps, a CISO CTO Forum, and a regional conference almost wholly focused on security. All this has been complemented by security roadshows in Delhi, Bangalore, Chennai and Kolkata and undertaken in close collaboration and coordination with the Indian Banks’ Association and the Reserve Bank of India.  There will more in the months and years ahead as we continue in our efforts.

A particular focus this year will be on our new controls framework. As part of the CSP, in April last year SWIFT published a security controls framework, a detailed description of mandatory and advisory customer security controls. These controls provide a security baseline for the community, clearly describing a set of mandatory and advisory security controls for SWIFT customers to implement both on their local SWIFT infrastructure, and on the full end-to-end transaction eco-system within their firms, including payments, securities trade and treasury.

All SWIFT customers had to attest to their level of compliance with the mandatory security controls by 31 December 2017, and 89% of customers, representing 99% of SWIFT traffic had attested their level of compliance with the mandatory controls by the deadline. This was an overwhelmingly positive response from the community – across every segment, market, geography and infrastructure type. But this is just a first step.

All SWIFT customers should now be working both to absorb this information from their counterparts and build it into their risk assessments, as well as to address any gaps in their own compliance with the mandatory controls. All customers will also have to re-attest against the controls by the end of this year, confirming their compliance with all mandatory controls.  We will work closely with customers in India, as we will right across the world, to help ensure their preparedness to meet this new challenge.

Cyber preparedness cannot come soon enough; a security mindset is pivotal, wherever the threat may be coming from, inside or outside organisations. Since the incident in Bangladesh in early 2016 we have continued to work with customers who have experienced incidents, both to assist them, and so that we can share anonymised insights on Modus Operandi and Indicators of Compromise back with the wider community. In every case, we continue to see the same basic patterns.  Firstly the customer’s local environment is compromised, and second valid operator credentials are obtained and used.  In protecting against these critical first two steps, customers must consider both insider as well as outsider threats – the attacks will not necessarily be perpetrated by remote outsiders, malicious insiders present just as much risk. Cyber risk is not limited to technology risk – it is also a people risk.

The mandatory controls set out in our CSP framework are designed to help customers structure their approaches to address these risks: a lack of user privilege segregation; missing transaction business controls; poor password policies; inadequate logical access controls based on need-to-know, least privilege, and segregation of duties; or shortcomings in personnel vetting.  These controls should apply throughout organisations, ensuring that no access permissions or privileges are unintentionally granted.

Once the attackers have obtained valid credentials, attackers (or insiders) can then submit fraudulent messages and subsequently attempt to hide the evidence.  Here, users need to implement measures for prevention and detection. This includes monitoring transactions, managing business relationships and reconciling activity – all of which SWIFT provides capabilities for; as well as ensuring the rigorous implementation of business and back-office flow security measures. The financial sector has to operate with an assume breach mentality. SWIFT is committed to working with its community in India and around the world to ensure that.