Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Layered Security in Banks: The Physical and Digital Parallels

Alex Tay, Director, Identity and Data Protection, ASEAN region, Gemalto | July 1, 2016
To understand what kind of cyber-attacks banks are susceptible to, it’s necessary to look at the various parallels between the security approaches required in the physical bank, and those that need to be employed in the realm of digital banking.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

When we talk about IT security, we often use analogies from the physical world.  At times, we resort to using language that takes on a medieval flair, employing concepts like castle walls, armour, shields, and so on. While these descriptions may not always be perfect, it's only natural to want to find physical realities to help illustrate or amplify the key points when discussing the very real, but also more ethereal concepts at play in today's digital world.

The reality of cyber espionage is daunting, especially when the criminals of the 21st century have easy access to IT knowledge via the internet. Under such climate, it comes as no surprise that IT spending in the Banking and Securities Industry in the Mature APAC Region has been predicted to reach $22 Billion in 2016, according to Gartner, to keep both physical burglaries and cybercriminals at bay. To understand what kind of cyber-attacks banks are susceptible to, it's necessary to look at the various parallels between the security approaches required in the physical bank, and those that need to be employed in the realm of digital banking.

The Evolution of Layered Security

Layered security isn't an approach that's new. In fact it's exactly what banks have been doing for decades.

As long as there have been banks, there have been bank robbers. Each new theft-or ideally every attempted theft-gave the bank's security staff insights for establishing new or enhanced defences. At the same time, when an initial attack is thwarted, would-be criminals keep trying and learning as well.

Consequently, over time, banks built up layered defences, so when one defence was bypassed, another would remain in effect to safeguard assets. If criminals could devise a way to bypass an alarm triggered at windows, it was time to install motion detectors inside the building.

In the digital world, the same type of progression has been occurring. Cyber attackers have continued to evolve their approaches. This is especially true of the well-financed, well-organised criminal organisations and nation-states that are perpetrating cyber-attacks against banks today.

Criminals went after sensitive transmissions, employing tactics like man-in-the middle attacks where attacker plays the middle person between two communicators and make them believe they're talking to a legitimate partner. Naturally, banks have to secure themselves through encryption to establish secure channels. When attackers went after user credentials to gain access to sensitive accounts, banks needed to establish multi-factor authentication. Once it was clear corporate databases were being hacked, banks employed encryption of the sensitive records in their databases.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.