Now, with just a few clicks, we have the ability to transmit thousands of dollars to a foreign country or perform an online transaction and other banking activities.
This is the new normal – where relationships with consumers are increasingly in digital form.
In order to constantly deliver new features to not only capture new customers but to retain existing customers, financial organisations are in a race to roll out applications at the speed of business.
This pressure to differentiate services with new application functionality has brought into question the overall security postures of organisations.
Australians and mobile banking
According to a survey conducted by Bain and Company, mobile banking in Australia is now more common than online banking.
This survey shows that 38 per cent of Australian customers’ interactions with their bank occurred via a smart device.
As we continue to plug into the digital realm, this trend is a cause for worry as there are huge risks lurking in the corner.
For as long as digital technology has existed, there have been people who sought to exploit it for criminal gains.
What once started as opportunistic email scams has evolved into highly complex, targeted operations that generate billions of illicit dollars every year.
The result is a sharp rise in threats such as cyber-espionage, web fraud, distributed denial of service (DDOS) attacks, and point-of-sale (POS) intrusions that threaten to destabilise organisations across Asia Pacific and beyond.
In fact, according to the Australian Cybercrime Online Reporting Network (ACORN), more than $234 million of financial loss was reported in the first quarter of 2015.
Forty-one per cent of loss resulted from online scams or fraud.
The figures demonstrate how cyber crime has grown in sophistication and gumption.
From ransomware, to malware exploiting weaknesses in systems, applications and browsers, techniques are varied and constantly challenging the status quo.
Digital paradox
The reality of the new normal is that economic crime has, to a certain extent, gone digital and possesses the ability to compromise a financial organisation’s digital landscape in a plethora of ways.
In the first three months of this year alone, new variants of financial trojans Tinbapore and new Gootkit campaigns were found to target banks and financial organisations across New Zealand, Singapore and Indonesia, just to name a few.
These developments point to the rapid evolution they undergo.
For example, Gootkit performs preparation by using video recording functionality before launching actual attacks on financial institutions’ websites.
This means that fraudsters now have the ability to study the internal processes of financial transactions within a bank and look for gaps in approval processes without having to be in the bank.
This is an example of the creativity that the cyber criminals of today possess and the effort they are willing to put into refining the process by which they approach their victims.
Herein lies the paradox: A bank’s hybrid, multi-channel approach to acquire more customers and increase value to market has provided criminals with newer vantage points that could be vulnerable and limit a bank’s potential.
Technology is becoming the new leveler, and the digital paradox is becoming the new business conundrum.
Hybrid approach to security
As financial institutions deploy more enterprise-grade applications and services across data centre and cloud environments, the need for a balanced and holistic security strategy has never been greater.
Financial institutions that depend on their digital presence for competitive edge need a holistic security strategy.
One that not only protects the organisation, its employees, customers and end-users against attack vectors, but is also able to react quickly to attacks in order to minimise damage.
One common misconception held by many is that a firewall is sufficient to guard an enterprise’s networks. However, that no longer holds true.
Organisations need to make concerted efforts to actively invest in security at the application level instead of just grandstanding at the network level.
For example, web application attacks are often tuned and created for a particular application, and are missed by traditional security measures.
The truth is that organisations must look at other technologies, such as web application firewalls, to protect their networks.
Careful planning and prompt action can make the difference in ensuring technology is on your side instead of sleeping with the enemy.
Accordingly, financial institutions need to strike an equal balance between protective postures – between pure defence and mitigate-and-react approaches. If the balance is tilted in one direction, the security strategy will not be as effective.
While we live in an always-on digital economy, it is prudent to remember that the gates are always open.
What will define a bank’s legacy in the years to come will no longer be the ability to deliver new services, but to deliver them safely and securely.
To achieve this success, we need to re-look at our security investments. Do we have a real-time threat intelligence system in place to detect everything from malware to phishing attacks?
Do we have complete visibility across platforms and at the application level? Are our security protocols cross-device and cross-channel?
That’s the hybrid approach to securing one’s business and reducing risks.
It’s time to discard archaic principles of protection and safeguard the gateway to applications and services because it is always open in the digital world.
Benn Alp is a security solution architect at software provider F5 Networks.
