Banks, both public sector and private sector have been on relentless march ever since fourteen major banks were nationalized in 1969. However, banking, as we know it, has undergone significant changes in the last 50 years. For one, banks expanded vigorously, covering the entire length and breadth of the country. Also, ever since the LPG (Liberalization, Privatization and Globalization) era, computerization in the banking industry and the emergence of what is known as New Generation Private Sector Banks, have brought in sea changes in the way banking is done. From brick and mortar, banks have moved to click and portal banking. And thus, resulted in the rise of cyber crimes and cybersecurity.
Today’s banking has more to do with electronic, or alternative delivery channels like ATMs, Mobile, PoS Terminals and Online modes than with any physical human being. As Bill Gates says, “Banking is necessary, but banks are not”.
However, this is not an unmixed blessing for banks and has brought with it a host of challenges as well. Hence, Information Technology security has become a major concern for banks world-wide and Indian banks too have to grapple with this problem. Gone are the days of banks being looted by robbers with guns, today’s robbers attack with more sophisticated weapons namely a keyboard, mouse, software program and network algorithms, which are deadlier than guns. Hence, every bank employee needs to have a practical perspective on cybersecurity.
India recorded 21,796 cyber crimes in 2017, up 77% from 2016. In 2018, the number rose further to 27,250. However, these official numbers may not tell the true picture. There has also been a phenomenal rise in low-value fraud cases as more and more bank customers are embracing digital modes of transaction. Also, several of these customers lack digital literacy.
Gone are the days of banks being looted by robbers with guns, today’s robbers attack with more sophisticated weapons which are deadlier than guns.
The problems are also further compounded by the fact that the apps and SMS notifications may not be available in local languages. In many of these fraud cases, the victim is compromised into revealing the card number, PIN or OTP details through varieties of social engineering and fear tactics. Typically, these frauds are perpetrated against the more vulnerable sections of the population such as pensioners, elderly persons and people who are not very tech-savvy.
As per the recommendations of G. Gopalakrishna Committee in April 2011, the Reserve Bank of India had provided guidelines on Information Security, Electronic Banking, and Technology Risk Management and Cyber Frauds. RBI had indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.
Since then rise in cyber crimes has been phenomenal and RBI felt the need for robust cybersecurity/resilience framework. It came out with a detailed set of guidelines in June 2016. The measures proposed by RBI included, inter-alia, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.
The RBI circular also underlined the need for a board-approved policy to combat cyber threats, and also mandated that cybersecurity policy has to be distinct from the broader IT policy / IS Security Policy of a bank. RBI circular said that bankers, as owners of customers’ data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit, within themselves or with customers or with the third-party vendors.
All these, however, require that banks need to move from cybersecurity as a cost to cybersecurity as a must. The risks associated with security threats and the potential impact on business should make organizations see the benefits of proactive security. It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among STAFF AT ALL LEVELS. This brings us to the question, why it is everybody’s job to prevent/manage cyber threats.
Banks collect various personal and sensitive information from customers. Hence, confidentiality and integrity of data is a big concern. Irrespective of cyber investment, preparedness and management, cyber breach is a near certainty for banks. Quick breach detection and appropriate corrective actions decide the impact of such incidents on banks.
As cybersecurity threats rise manifold, it is imperative that all staff members should be aware of the threats and should be proactive in preventing security breaches. Lack of awareness of cyber threats and their serious implications by bank staff and customers is a major challenge for banks. Renewed skill development of workforce and investments in training and manpower development is a challenge for all banks. In addition to cyber-attacks by outsiders, insider threat is also a big challenge for banks, as 13% of the frauds reported had involvement of staff.
Creating a culture where the responsibility for mitigating risks around cyber crime is not borne exclusively by IT is essential. Every employee in the organisation plays a role and shares responsibility for safeguarding the firm’s assets, including IT assets. The board and senior management must raise cyber crime prevention as a serious corporate-wide priority with clear and consistent messaging.
Employees should be encouraged to scrutinize payment requests that appear out of the norm or look suspicious. Employees should also be made to understand the responsibility they carry and the impact they make on developing a secure environment. The employees should feel empowered to think and question information, transactions and requests that appear suspicious and should never be penalised for attempting to protect the organisation’s sensitive assets.
Security awareness should be built into the culture of the bank and this should start from the day an employee is recruited. As part of the training of staff, banks may include simulation of cyber-attacks so that the staff can understand the threats they are likely to face and are better equipped to react to cyber Incidents.
No fraud prevention programme will be successful if employees cannot detect fraudulent activity and know how to respond appropriately. General cyber crime awareness training should be completed at least annually by all employees. In addition, unless sufficient knowledge by way of periodical training, both on and off the job, is imparted to all the staff members, banks will not be able to safeguard the interests of their customers and may also be exposed to huge financial and reputational risks.
Targeted awareness/training should be provided to all the staff so that they would be able to understand the practical issues involved. Recent and past cyber-attacks indicate that cyber criminals are also targeting bank employees. Hence, banks must ensure that cybersecurity awareness programs are made mandatory for new recruits and web-based quiz and training for lower, middle and upper management every year.
Banks should also train their employees in robust anti-fraud measures for detecting anomalous transactions so as to be able to alert the customers and prevent possible losses. Staff should be encouraged through competitions, quizzes and incentives for Cyber Security related courses. Often encouraging an employee for reputed Cybersecurity Certification empowers him better than in-house training.
In addition to training the employees, banks should also encourage them to provide customer education, particularly for the not-so-tech-savvy customers. This requires a change in the mind-sets of employees as they generally tend to view this as “their problem” and not “our problem”.
Changed circumstances require changed responses. As banks adopt more and more technology, there is also the imperative need to train all the staff on the possible use, misuse and abuse. This would help them to be more agile in dealing with cyber crimes. Combating cyber crimes needs a collective response from all the staff members, and not merely IT staff.