Cybersecurity legislation must be accompanied by education
Data security has to be a top priority for digital banking and financial service providers
For anyone working in the financial services space, cybersecurity is a key concern. High profile attacks are only becoming more frequent, with big companies like Talk Talk, Ashley Madison and Sony suffering major breaches.
The increasing frequency and profile of these attacks has caused not only technology companies and security experts to pay attention, but influential figures in Parliament as well. At an event in January at the Royal United Services Institute (RUSI), former defence secretary, the Rt Hon Dr Liam Fox MP called for legislation to make it a legal requirement for companies to confess when they’ve been subjected to a cyber-attack.
Protecting online banking customers
However, while further regulation isn’t necessarily what financial services firms need in these cases, it is clear that they have a duty to do all they can to protect their customers online. That also means they must be held accountable when their details may be compromised because of a security breach. However, our opinion diverges from Dr Fox in we believe banks should be made to report such attacks and breaches to regulators rather than doing so in the public domain.
What’s encouraging is that cybersecurity isn’t a field that’s purely full of doom and gloom stories. HSBC’s recent experience is actually a very good example of a bank successfully fighting off a targeted distributed denial of service (DDoS) attack. Unfortunately it suffered downtime of its digital services as a result, but a dedicated resistance in fact enabled it to keep customers safe.
Preventing data breaches
Other banks need to look to HSBC’s example and raise their game as a result. Data security is arguably more important for financial services than any other industry, and providers need to up their game in order to address threats in real-time. Currently, the FS industry has invested heavily in securing the ‘perimeter fence’ of security. There is very little attention paid to securing the business applications themselves. It should be obvious by now that relying on perimeter security to prevent data breaches is a seriously flawed strategy.
However, if any legislation was to be created, it must also be accompanied by adequate support, to help companies defend themselves against cybersecurity threats. Firms, especially small ones would benefit from more advisory help. As Dr Fox referenced in his speech, vulnerabilities often occur due to a lack of understanding. Businesses need more education to better understand the threats of cybercrime and how to negate them.
What organisations need to do now is look past the point of entry for hacking threats, as criminals will always find a way in. Just as with building security where systems include alarm systems and sensors both at the point of entry as well as within the building, banks also need to focus on cyber-security within the banking application itself.