Next level security measures Asian banks should intensify amidst cyber attacks
Banks need more than just password protection and static identity checks.
After Singapore was hit with its largest cyberattack to date in the form of the SingHealth data breach where personal information of nearly 1.5 million individuals including that of Prime Minister Lee Hsien Loong were illegally accessed, the discussion shifted to which type of data deserves the strongest level of protection. But whilst healthcare data has become the topbill target for attackers, Asian banks still remain highly vulnerable, especially now that digital technologies continue to evolve rapidly.
As banks in the region catch up with the rest of the world, they realise that keeping data secure is a tall order and requires dedicated effort in terms of development and strategy. Alisdair Faulkner, chief identity officer, ThreatMetrix, said that we now live in a post-breach world where digital identities have been compromised on a massive scale. According to him, Banking, Financial Services, and Insurance (BFSI) organisations have to face the reality that user IDs, passwords, and other personally identifiable information is widely available to cybercriminals who steal identities to create bogus accounts.
“Modern phishing attacks are very well targeted, can be difficult to detect, and aim to grant malicious individuals broad permissions over user data, user devices, and online services,” echoed David Shephard, vice-president for sales of Asia-Pacific and Japan (APJ), Bitglass. “The days of basic phishing schemes have more or less passed. Attacks now rely on advanced forms of infiltration that better disguise malicious intent—more people are vulnerable to attacks that obfuscate their intention. Asian banks are taking note of this.”
Following the attack, the Monetary Authority of Singapore (MAS) urged financial institutions to avoid reliance on the information stolen from the SingHealth attack which includes, names, NRIC number, address, gender, race and birth date, for verifying customer identities.
In its latest move to outpace the growing sophistication of cyberthreats, the MAS has also proposed to make a slew of cybersecurity measures under the existing Technology Risk Management Guidelines legally binding as part of baseline hygiene standard for cybersecurity.
“Raising these measures into legally binding requirements will require FIs to focus on and ensure that these measures are well implemented,” said a MAS spokesperson. “Setting these requirements as a mandatory baseline for FIs will help enhance the security of their systems and networks, and ensure that the Singapore financial sector continues to be cyber resilient.”
The city state, which has experienced quite a number of breaches in the past years, is planning to prevent and mitigate cyberattacks with the new Singapore Cyber Bill. Gino Bello, senior director, FTI Consulting, said that most of what they have seen with their work with local and international banks is that they are quite sophisticated with their Cyber Resilience posture, considering that they are highly regulated and will be classified as Critical Information Infrastructure once the Singapore Cyber Bill is successfully passed.
“The main lessons that banks can take into account is that the SingHealth response, in terms of timing and communication to key stakeholders and the public, was well prepared and executed,” Bello added. "Organisations should prioritise initiatives such as Cyber health checks, Cyber Risk Reviews, table-top trainings, and/or simulations that will serve them well from a preparedness standpoint when an attack does indeed occur. Coupling these proactive measures with technology ensures a Cyber Resilience posture that will hold up during an attack.”
Tight tech
With the onslaught of digital breaches across the region, banks have tried to put in place additional layers of protection such as passwords and other static identity checks. However, analysts argue that these are near useless and that there is a need to turn to more intelligent forms of security. Banks may benefit more from augmenting device intelligence with location, identity, and threat analytics from billions of online transactions around the world.
“In addition to ‘traditional’ firewalls, ‘air-gapping’, timely patching, multi-factor authentication, leveraging cloud technology when they are able, investment in people and training, the technology we have seen being well utilised by the financial sector is artificial intelligence and data analytics,” Bello said. “Through this heavy investment in AI and analytics, organisations have been better able to monitor, predict, and detect attacks, whether they be large data leakages or intellectual property thefts, inside jobs by trusted employees, distributed denials or service, fraud, bribery and corruption, money laundering, or advanced persistent threats.”
In terms of added layers of defense to prevent unauthorised access, risky external sharing, and costly breaches, banks can use cloud access security brokers (CASBs). Shephard said that CASBs can go along way in protecting data in the era of the cloud. According to him, leading CASBs are built to defend sensitive information in any app, any device anywhere.
“Specific requirements for banking IT infrastructure also apply: self-service networks should be isolated from the bank’s overall network as well as the card issuing environment. They should typically be isolated. All organisations should take a similar approach to security by adopting an onion or layered concept. This approach has to consider risks from two different attack vectors: Online, meaning cyber attacks against operational environments. Offline, meaning attacks against environments,” said Bernd Redecker, director of Corporate Security and Fraud Management, Diebold Nixdorf.
Despite all the recommendations from top tech leaders, banks should realise that there is no single solution to stop hackers and fraudsters. Faulkner said that there is a need for a far-reaching strategy that considers all possible scenarios, one that allows BFSI institutions to make sure that they are secured against data breaches and adopt solutions to properly authenticate identities when dealing with customers and partners online.
Meanwhile, Jeffrey Kok, vice president of solution engineers, Asia Pacific and Japan, CyberArk noted that banks need to look at the assets they want to protect when determining the right security technology to mitigate against attacks. “Banks have had the criticality of privileged access security highlighted to them, as well as a different way of thinking about attacks,” he said.
“Their most effective way of developing a robust defence strategy is to put themselves in the hackers’ shoes and think about the path they will take to get to what they want. Banks should assume that the attacker is already inside and to adopt privileged access security as a key layer of defence to hamstring intruders that have successfully breached the perimeter from being able to move laterally to gain access to sensitive information or critical assets,” Kok added.
Policy gaps
Jaivinder Singh Gill, regional vice president, Banking - Asia Pacific, Diebold Nixdorf, said that whilst banks and government agencies share the same attack target which is information, banks have a second asset: cash. At present, compliance requirements apply in both sectors, but policies should be specific for the respective environment.
Furthermore, banks are expected to adhere to global standards, such as the card handling level when processing cardholder data. Gill said that all financial institutions that accept, process, store, or transmit card information must comply with the Payment Industry Data Security Standard (PCI DSS). In Singapore, the MAS standards, as well as international standards such as EMV compliance, work in tandem to ensure the protection of the end-user.
Shephard noted that Singapore is transitioning to open banking and is utilising cloud technology in the financial services sector. According to him, rather than aiming for the bare minimum level of protection, organisations should seek to exceed regulatory requirements and deploy the latest cybersecurity technologies. This will help defend against phishing, malware, insider threats, and other threats.
At the end of the day, it is important for banks to ensure that the people who interact with the technology and tools are doing it effectively and in the best way they can. Kok said that the most sophisticated processes, technology, and tools are useless if employees are not educated on cybersecurity best practices. For him, people are the most important part of security defense and offensive controls.