BFSI : Safety Compromised

DQI Bureau
New Update

Over the last decade or so, the Indian banking and financial sector has seen

several transformations. The operating environment of banks has changed

significantly in terms of liberalization of regulations, increasing competition

from both domestic and foreign players and need to revamp the business, which

came with the legacies of the protected era. Simultaneously, implementation of

information technology began in right earnest in the sector. Starting from back

office automation, which was aimed largely at processing of voluminous data and

automation of cheque clearing operations; the adoption of IT moved to the front

desk in the form of total branch automation. Further, while competition gets

tougher, there is now a constant pressure on IT departments to achieve more

within tighter budgets. However, while the adoption of technology has brought

several benefits to the financial institutions, various threats in terms of

malicious software, unscrupulous insider and external fraudsters, natural and

man-made disasters are real. Lets take a look at some of the top information

security challenges faced by the banking and financial segment.

  • Business threat related to i-Banking: To remain competitive in the

    industry, where all banks are putting efforts to ensure easy access and

    transaction process for their end customers, the associated security threats

    and challenges mount higher. Transmitting data across the Internet link,

    through secured and unsecured channel is always a challenge. With increased

    convenience of online banking, the threat of unscrupulous elements getting

    into the networks and perpetrating frauds looms large. In this context, the

    security governance, security policy and its implementation and the

    well-tested and reliable business continuity measures assume importance. As

    any system cannot be perfect, its audit and expeditious action on the findings

    become crucial to continuous enhancement of security systems in the face of

    ever-growing sophistication of potential attackers. The bank has to ensure and

    safeguard not only its information database but also customers critical

    investments from malicious intender on the Internet. The requirement of

    encryption solution, digital certificate, secured connectivity for mobile

    users and customers, secured hosting environment have become extremely

    critical for all BFSI organizations.

  • Managing and correlating threats across the enterprise network to

    contain risks:
    Event correlation is the key to properly identify the true

    threats an organization is facing. Threat correlation ensures that risk

    management teams are always focused on the top most priority, simultaneously

    reducing potential risk and corporate liabilities. A good correlation solution

    has the power and scalability to collect, normalize, consolidate and correlate

    events from the largest organizations, enriching data with extensible threat

    taxonomies, knowledge-base links and both user-defined and automated responses

    to threats. Recent security regulations for the BFSI segment have escalated

    the demand for threat correlation.
  • Near real-time mitigation of phishing: A recent report by

    Cyveillance stated that number of phishing attacks grew by 50% in the first

    two months of 2007 from 800 to 1200. Further, another report by University of

    Indiana School of Informatics showed that an average of 8 to 14% of

    respondents to a phishing email go ahead and click on it. To safeguard

    themselves from potential risk, financial institutions need to get this number


    An Eye on the Phish

    Some recommended strategies to

    mitigate phishing risks
    • Deploy transactional authentication

      software Transaction authentication software applies numerous other

      factors that include the computer hardware, IP address, geo-location,

      time of day, user history, display settings, browser plug-ins to examine

      and approve each transaction. If the software finds any discrepancies

      then it escalates to management or begins to ask questions.
    • Deploy software which quickly shuts down

      phishing sites Enterprises should use service providers that screens the

      Internet 24 hours a day looking for phishing sites that may target you.

      In some cases they can prevent an attack from taking place while in

      others they can quickly respond and block the website.
    • Educate the consumers A concerted

      education campaign is needed by the financial institutions. It must

      describe the threats and appropriate counter measures over and over to

      the consumer such that they absorb and adopt.
    • Deploy stronger authentication

      selectively Stronger authentication should only be used for higher risk

      individuals in higher risk situations. This will help to mitigate the

      risk of common keyboard logger attacks but wont stop in the middle

      attacks. Consider usage of things like confirming cell phone calls,

      digital signatures and SMS messages to help mitigate your enterprise

      risk. One time passwords are also useful but are more expensive to

  • User provisioning and identity management: User provisioning and

    identity management systems allow financial institutions to know who is

    accessing what and provide a suitable user experience by restricting or

    controlling access accordingly. In light of the increased cases of hacking and

    unauthorized access, enterprises are adopting automated policy enforcement

    that helps maintain optimum security levels while managing large number of

    users. Integrating digital IDs with provisioning systems can further help to

    lower total cost of ownership and maintain consistent security policy across

    users, applications and environments.
  • Managing privacy and confidentiality of user data: Customer related

    and transaction data forms the backbone of banking services; more so in the

    current scenario where banking is becoming virtual and transactions are

    becoming electronic. To fight the increasing competition, it is becoming

    critical for banks to maintain the privacy and confidentiality of user data.

    Data Leakage prevention solutions and encryption solutions for mobile assets

    are being increasing adopted by BFSI organizations to keep this date

    confidential and inaccessible from improper hands
  • Regulatory compliance: Globally, there are a staggering 16,000

    regulations that businesses need to comply with, including significant

    legislation such as IT Act, SEBI Clause 49, Sarbanes-Oxley, HIPAA and

    BASELII. According to an IDC Survey, the worldwide information management for

    compliance market will cross the $20 bn mark in 2009 growing at a compound

    annual growth rate of 22% through the 2005-2009 forecast period.

With the help of Security Service providers, financial enterprises can adopt

inexpensive and unified approach to compliance management which also reduces the

cost, time, effort and complexity involved in adhering to multiple regulations.

  • Increased risk from internal network: Most of the networks of BFSI

    organizations in India are increasing their geographical spread in order to

    meet business directives. This is exposing them to loss of administrative

    controls over internal users. Financial organizations are countering these

    threats by working with various zero-day prevention technologies like

    signature less behavior based protection solution and network access solutions

    for granting access to the network, only for valid, authenticated and known

  • Need for end point security: Due to the faster spread of the BFSI

    branches in an effort to reach maximum market penetration, banks are now

    facing new challenges in ensuring maximum security from the various end

    points. Business demands nowadays, interaction from a dynamic environment

    beyond the banks internal network, which imposes various threats. End point

    security solutions help banks to ensure compliance to implementation of

    certain pre-defined security controls on all the end point accesses. Further,

    preventing data loss, desktop firewall, desktop HIDS, Network Access Controls

    (NAC), patch management solution, anti virus solutions help banks in ensuring

    the compliance have a secured and wider network.

Managed Security Services has emerged as an important discipline to address

the above challenges, through integration of people, process and technology.

Each of these three components should be managed considering the capabilities

and limitations of others. When the components are considered as a whole, they

should provide for adequate overall risk mitigation.

Prosenjeet Banerjee

The author is associate vice president, global security services, HCL