As cyberattacks continue to become both more sophisticated and more widespread, the need for effective cybersecurity in banking has never been more pressing.
A 2020 report by McAfee, ‘The Hidden Costs of Cybercrime’, estimated the cost of global cybercrime to be over $1 trillion, up from $600 billion in 2018. Meanwhile, almost half the respondents to PwC’s 2020 Global Economic Crime and Fraud Survey had reported a fraud in the past 24 months, with companies experiencing an average of six fraud incidents in that timeframe.
Of course, the risk of fraud is nothing new – companies have long had to manage the risk of losing money as a result of criminal activity. The risk of theft associated with physical cash is as old as money itself, while check fraud likewise is a well-established threat. But alongside these longstanding risks, companies are increasingly at risk of newer threats in the form of cyberattacks and other fraudulent schemes that target electronic payment methods.
So how can corporations protect themselves from the risk of fraud, while benefiting from the latest in bank network security? Why is IT security in banking an increasingly urgent topic? And what are the biggest challenges when it comes to cybersecurity in banking?
Security in banking
The arrival of banking technology has provided more secure methods for companies to move money, as well as enabling people to carry out online banking activities faster and more easily than in the past. But banking technology also brings some additional risks – and as a result, data security in banking has never been more critical.
As the number of people carrying out transactions online has continued to grow, hackers have stepped up their efforts to steal banking information, credit card details and other sensitive information. As such, it’s important to stay abreast of the latest threats, and ensure that robust measures are in place to address them.
Companies today have to mitigate the risk of increasingly complex fraud schemes, which may include:
- Phishing – fraudsters use email communications to attempt to obtain personal information or trick the recipient into making a payment.
- Spoofing – communications from a fraudster are disguised so they appear to come from a trusted source.
- Account takeover (ATO) – the fraudster gains access to a corporate email account, for example by using stolen credentials, and uses the account to commit fraud or obtain personally identifiable information.
- Business email compromise (BEC) – in a BEC scam, the fraudster typically purports to be a senior executive within the company and asks an employee to make a payment – often with an element of urgency and/or secrecy.
- Ransomware – criminals use malware to encrypt a company’s files, and then demand a ransom before restoring access. This is often accompanied with the threat that sensitive data will be published if the ransom is not paid.
Cyberattacks can hurt both the bank and the corporation: as well as the financial loss, which can be considerable, a successful fraud attack can also result in reputational damage to everyone concerned. As such, it’s clear that information security in financial services needs to be a top priority.
Corporate fraud instances – how do they happen?
Before you can protect your organization from the risk of fraud, it’s important to understand the different types of threat that organizations face.
Fraud and cyberattacks can take a number of different forms:
- Internal fraud. Companies can fall victim to a range of internal fraud schemes, including embezzlement, theft, misuse of company credit cards, payroll fraud and procurement fraud. For example, employees could tamper with suppliers’ bank account details when making payments, or could set up payments to non-existent suppliers.
- External fraud. External threats include phishing and social engineering attacks and the theft of cash or data via security breaches from external parties. Companies may also fall victim to fraud schemes related to the company’s vendors – for example, vendors might invoice the company for goods that have not been provided, or criminals may impersonate an external supplier to the company in order to extract funds.
- Internal and external fraud. In some cases, fraud may involve a collaboration between internal and external parties – for example, through kickbacks for the selection of suppliers.
While the theft of physical cash tends to be easy to spot, it can be more difficult to identify when a fraudulent transaction has taken place. In practice, it can take weeks or months for companies to notice that a cyberattack has taken place – which makes it even more important to prevent fraudulent attacks in the first place.
File-based communication: what are the risks?
For a corporate treasury department, some of the most significant fraud risk can arise because of the practice of using file-based communication methods to move cash – for example, when using a host-to-host connection.
When file-based communication is used, the company will first generate payment files that are saved in a folder until they are picked up by the bank. As a result, data information security is reduced and there is a heightened risk that someone could tamper with the files. Fraud risk can also arise if the treasury department lacks suitable controls dictating who within the company is authorized to approve payments.
Cybersecurity and banking
Against this backdrop, it’s no surprise that cybersecurity in the banking industry continues to be a major focus. Fortunately, there are a number of ways that companies can protect themselves from the threat of a cyber attack. Broadly, these can be categorized as physical and digital security measures.
Where physical controls are concerned, IT security can be increased through the use of robust network security in banking, as well as through the use of physical tokens issued by the bank. Another important tool is the use of biometric controls, such as fingerprints or facial recognitions, alongside other security measures such as passwords.
In addition, companies can use digital methods to mitigate the risk of fraud. These include enhancing computer hardware and software, for example by ensuring robust anti-virus software is in place. Another option is to require the use of digital PIN or verification codes for sensitive operations.
Companies can also address the risks presented by file-based communication by taking advantage of API connectivity. When the company connects using bank APIs, a direct link is created between the company and the bank. Compared to other connectivity options, this reduces the number of parties that come into contact with a payment – thereby removing opportunities for individuals to manipulate files before they are sent to the bank.
Bank APIs can also be used to enforce tighter controls, and can be used to track actions and changes carried out by specific individuals – which can be an effective deterrent for would-be fraudsters.
Prevention is better than cure – and when it comes to bank information security, it’s important to ensure that all possible measures have been taken to reduce the risk of fraud.
Education is an important component of this. To minimize the risk of falling victim to a cyberattack, relevant staff – particularly those who make payments or interact with vendors – should be kept aware of the possible threats, with regular updates and training exercises to ensure that skills and awareness are kept up to date. In some cases, companies may run simulated phishing exercises to measure the percentage of employees that click on a suspect email, and identify any individuals who should be referred to specialist training.
But while education is certainly important, technology also has an essential role to play in deterring fraudsters and preventing unscrupulous individuals from accessing sensitive systems. As well as eliminating the risks associated with file-based communication, API-based treasury software can reduce the risk of fraud through the use of best-in-class authentication techniques and robust controls, while providing a full audit trail over users’ activities.