Ensuring banks are secure in the digital age
The majority of personal data is now stored digitally. Although convenient, this leaves banks and financial institutions with the important task of ensuring this data is protected from breaches. How they manage cybersecurity issues is constantly scrutinised, but what can be done to minimise risks?
Naomi Tudor, our head of corporate banking, explains the threats and processes that banks must be aware of:
• Funds being transferred directly out of individual accounts
• Customer information being sold on to other criminals
• Customer information being used to hold institutions hostage
All these threats lead to business disruption in various ways, with banks having to put their time and resources into resolving the breaches.
• Direct attacks to computer systems and IT infrastructure
• Approaching customers pretending to be their bank in order to gain personal data
The latter method catches out many people every year. Once the money is sent to the criminal and the funds are cleared, it is usually too late to recover them.
• Investing in IT infrastructure – Even before the introduction of the new GDPR regulations, businesses were encouraged to improve their data protection policies. In house systems need to be secure to lessen the risk of direct attacks succeeding.
• Ensuring third party suppliers have secure IT infrastructure – Criminals can use the weaknesses in third-party systems to access the main bank. Before engaging in a commercial arrangement, businesses must be vetted for suitability and checked for compliance.
• Educating the public – Having an awareness of the details that should never be given out, such as account or pin numbers, is vital to tackling customer scams. The methods fraudsters use are constantly evolving, but the public having this knowledge will hinder their attempts.
• Training internal staff – Data protection and information security courses are an effective way to ensure staff know the risks, warning signs and processes of cyberattacks. This way, they can be more proactive in the fight against cyber criminals.
No matter the level of precautions put in place, banks can still become victim to cyberattacks. There are processes that should be followed if this is to occur:
• Alerting customers – Customers should be informed of breaches as soon as possible if their personal data has been compromised, whether large-scale or not. However, it must be done in a way that does not trigger mass panic. Many institutions have processes in place to ensure this happens.
• Alerting the ICO – There are certain incidents that need to be reported to the ICO such as, personal data breaches. Incidents should be logged promptly, and no later than 72 hours after the breach. Failing to comply with the new GDPR reporting requirements can see business facing fines of up to €10 million, or 2% of annual global turnover, whichever is highest.
• Early action – Junior staff are often the first port of call for customers who have been tricked by fraudsters. Training is vital for situations such as these, as it allows the next steps to be taken correctly and quickly, increasing the chance that stolen funds can be returned.
Cyberattacks alone can damage the reputation of a bank, but the management of a breach can make or break them. Reputation and trust are what banks rely on to gain and keep customers, so the correct response is important for the continued success of the institution.