Learning from the best: Cyberattack lessons from the BFSI sector
The banking, financial services and insurance (BFSI) sector in Australia is one of the most prone industries to cyberattacks, as transactions and connectivity among consumers become more digitised. The proliferation of mobile apps and data is fuelling an increase in cyberattacks around the world, often because of vulnerabilities and poor security practices of the app owners.
In developed markets such as Australia, the BFSI and communications sectors had the highest incidence of distributed denial-of-service (DDoS) attacks in 2016.1. Breaches are also becoming increasingly sophisticated and highly targeted, as demonstrated by the recent spate of WannaCry and Petya ransomware attacks, which often result in millions of dollars in damages. The average cost of a cyber-attack to Australian businesses is about $622,000 AUD and approximately three quarters of all Australian businesses have been attacked in the past year, with as many as one third in one month alone.
When these breaches occur, financial institutions are some of the quickest to respond, investing heavily in innovative, reliable and modern security systems. A recent ASX survey found that Australia's financial services sector is tackling cyber breaches most effectively.
Because banks and financial institutions acknowledge their duty of care to protect the highly sensitive data and confidential information of their customers, they have some of the most heightened security practices and infrastructures in the business. Banking is also one of the most highly regulated sectors, so safeguarding data is often a legal requirement.
Other sectors, including retail, manufacturing, education, healthcare, manufacturing, government, transport and logistics, and energy, can look to banks' stringent compliance practices and best practice to inspire their own IT safeguards.
What specifically are these institutions doing so well and what can other sectors learn from them, to protect their apps and data from malicious hackers and safeguard their customer's personal information?
The best security involves multiple layers
When it comes to IT protection, the more security layers an organisation has in place, the more difficult it is for criminals to gain entry to their systems, apps and data. Looking to Asia, Singapore's DBS Bank has architected its online internet banking service, such that it requires consumers to complete a two-factor authentication – an extra layer of security that requires not only a password and username, but also a private piece of information only they know. These added layers of security underpin everyday transactions, such as fund transfers and bill payments. While multi-factor authentication can be circumvented with the right targeted malware, organisations across all sectors can still deter cybercriminals with more rigorous security systems in place.
Detection and prevention can protect against fraud
As well as strong user authentication tools, many banks offer two-way alerts which notify customers of suspicious activity in almost real-time, and let customers respond – to let their bank know if a transaction is legitimate. Alerts notify customers of unusually large transactions or transactions taking place in a foreign location. This is especially relevant for the retail sector, where online retail giants have been the victims of high-profile data breaches. eBay, for example, suffered one the biggest data breaches in history, when around 145 million records, that contained passwords, were accessed by hackers.
Retailers are slowly catching up and they are often seen adopting detection and prevention practices. Last year, Amazon sent out emails to its users asking for a quick password reset – the reason was a possible breach of some of the users' credentials. Bricks and mortar stores can also adopt tighter security measures for their store-issued shopping cards, including PIN security and chip-based “smart cards” (which are already being used in Europe). Credit card fraud remains a massive problem worldwide, but fraud can still be slowed with ‘smarter' safeguards.
Communication is key
Amazon's alert emails also highlight the necessity of swift and informative communications with users. The Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT) recently warned customers it was aware of a number of fraudulent payment cases, where affected customers suffered breaches in their local payment infrastructure. SWIFT quickly launched an initiative to share cyber threat information with customers to help them protect their own environments from intrusions and malware. Other sectors can learn from banks' improved communications to, and education of, customers, as well as swiftly reacting when an attack occurs. No matter the industry, trusted communication is key for customers to feel protected and valued.
The finance sector is constantly being challenged to fight cybercrime and, given the potential financial gains from successful attacks, the battle with malicious hackers is likely to rage on if the current climate is anything to go by. However, banks employ some of the most rigorous security tools, technologies and services, and other sectors can look to these trailblazers for best practice. Multi-layer authentication tools, detection systems and customer communications are just some of the cyber safety lessons that apply to all sectors, in order to better safeguard mobile apps and protect customer's personal information from key vulnerabilities.
From a business perspective, a ‘new normal' of security is required – one where IT risks are communicated in business terms and IT safety is backed up by the right technology infrastructure and installations. This will help empower organisations to achieve compliance within their sector. Cybercrimes pose a serious threat to companies, leading to significant business implications and bad press. Ultimately though, absorbing best practice from industry leaders allows companies to increase sales, save time, cut costs and foster better connections with customers.