April 18: The global health crisis spurred by COVID-19 has brought huge digital transformations in the country. A huge chunk of population has started doing digital transactions following the lockdown that restricted physical movement. There has been a sharp rise in the number of transactions done through electronic and internet platforms.
In the month of Shrawan 2077 (mid July/mid Aug 2020), transaction worth Rs 18.39 billion took place through mobile banking. Number of such transactions has increased to Rs 40.35 billion in the month of Chaitra (mid Feb/mid March). Likewise, transactions worth Rs 51.3 billion were done through connectIPS in the month of Shrawan (mid July/mid Aug) which went up to Rs 110 billion in the month of Chaitra (mid Feb/mid March).
The growth in the digital transactions is positive news for all the electronic service providers but with this growth also comes digital risks like data loss, identity theft, and financial loss. In this context, Rebati Adhikari of New Business Age talked with Prabesh Poudel, Information Security Officer (ISO) at Nabil Bank to seek his views on importance of digital security in banking sector. Excerpts:
With increase in digital banking, how important is digital security?
Today, in one form or another, every bank is on the path to digital transformations, with digital payments moving ahead at high speed. But at the same time, in the lack of proper security controls in place, there are chances that banks could suffer major service failures due to their inability to manage digital risk. So, while we talk about digital transformation, security transformation cannot be left behind but must go hand in hand. In this new digital world, the implementation of new digital technology not only requires system implementation but also requires focus on areas related to digital security.
What kind of security measures banks should employ to ensure digital security?
A complete security strategy has to be in place to protect information assets. Security has to be looked from different aspects such as secured technology infrastructure, on-going security assessment, on-going security monitoring and most importantly security culture. All these have to be guided by strong policies and procedures.
Threat actors have shifted efforts to target end users by exploiting user behavior by misleading users into opening and executing a malicious file, going to a malicious site or handing over information, typically using lures which create urgency (eg lottery payment) or leverage current crises and events (eg covid fund).
So in this scenario, one of the challenging things in today’s context specially in the case of Nepal is security awareness. So, only secured system will not help in strengthening information security, but user awareness is as important as that.
Is banking sector experiencing more risks from mobile banking apps? What should be done to minimize it?
Security threats exist everywhere be it traditional banking or modern banking with digital channels, but how you take the precautions is something that plays the major role.
Yes, with a mobile app there are potential vulnerabilities related to the security of the app itself, vulnerabilities in code and also potential vulnerabilities related to the transmission of information. In addition, threats coming from unawareness of the consumers is even more critical. There have been instances in Nepal in which mobile banking users are found to have shared their password/OTP with fraudsters.
So to list some of the preventive measures, before installing any mobile app, complete vendor assessment ie assessment of technology service provider is very important. This should be followed by VAPT (Vulnerability Assessment and Penetration Testing) of system itself to ensure system is secured before LIVE implementation. But it does not end here because security is an on-going process as new threats are evolving day by day, so an on-going security assessment, security monitoring, security awareness to consumers is a must.
Banks can use a security awareness training program to educate their employees as well as customers about the importance of data security. Say for example when Multi Factor Authentication is implemented in any system, customers should also be aware of its importance so that he doesn’t share password/OTP with anyone with wrong intent.
So, it’s no longer about just the individual components of security framework. Focus must be on how they are orchestrated to build a more effective security posture.
What kind of mechanism should bank set up to monitor/respond to cyber threats?
Security monitoring is one of the important components of information security and the best way to do is by establishment of Security Operations Centre (SOC), which includes a team of security experts and the facility in which they dedicate themselves entirely for monitoring, analyzing and reporting information. A SOC team monitors cyber security threats on the basis of logs from various critical system 24/7 and detects and responds to any security incidents it oversees and then alerts the bank.
Banks can establish SOC in-house with their own team or may outsource it to professional and reliable third-party. There are multiple companies in Nepal that have been providing ‘Managed SOC’ service.
What kind of significance information security audit holds?
Information security audit will help in comprehensive assessment of a bank’s information system and can help identify system weakness and vulnerabilities in IT infrastructure. In addition, it also verifies the bank’s policies and procedures, security controls, ensures regulatory compliance and many more. Such audit will definitely help in continual improvement of security posture of the bank.
However, the most important thing while conducting such external audit is to ensure such audit firm comprises of professional team with enough experience, expertise and standard certification like CISA/ISO 27001 etc for conducting information security audit.