Security in the balance

Financial organisations are tightening all aspects of information security after a spate of security attacks which have dented customer confidence

  • E-Mail
By  Peter Branton Published  June 25, 2006

|~|Medvedevabody.jpg|~|Banks face negative customer perception of the banking operations, reveals Maria Medvedeva.|~|Until recently, banks have considered information security as a cost of doing business. Nowadays, new market trends are driving the financial sector’s IT security investments. For one, the constant barrage of security attacks banks have suffered has resulted in declining customer confidence. That imposes a huge challenge on financial organisations that are looking to add more customers, especially in the area of online banking where most Middle East banks have increased their focus. As the consumers’ level of awareness of data security and data confidentially increases, banks are starting to look at security from the perspective of their clients. For instance, in the US, several major banks, such as Citigroup, have launched advertising campaigns heralding their recent investments in security, and makes these banks not only the better choice, but also the safer choice. “There is a growing concern about the damage to brand reputation and brand equity when a phishing attack is successful and gets media attention,” says Justin Doo, managing director of Trend Micro Middle East and North Africa. “One of the biggest risks banks face here is negative customer perception of the banking operations,” agrees Maria Medvedeva, regional director for security management business unit, CA EMEA Eastern markets. “In Dubai, we have read about different banks that have been subjected to fraud, such as phishing e-mails or physical damage to their ATMs. All these bring negative perception,” she says. “People see it as lack of security control and this causes absolutely negative perception and customer dissatisfaction. For a customer, a security fraud means that the bank has failed to implement systems or some type of security control to protect its customers. It means that customer data could be jeopardised,” she adds. Such concerns have led to the slow uptake of online banking, according to Doo. “Most banks are spending more money gearing up for growth in online banking than they are spending gearing up for growth in physical location expansion,” he says. “The economies of scale are very simple. Research has shown that the cost of a transaction where somebody visits a branch and does an over-the-counter transaction is nearly ten times the cost of the same transaction that is carried out online,” Doo continues. “However, there is a global slowdown, at the moment, when it comes to internet banking uptake. That is surrounded by a lot of negative media attention regarding access security, in terms of being able to make sure that the access is not compromised and your account is not being accessed by someone other than yourself,” he adds. To encourage people to adopt online banking, Ayman Majzoub, general manager of Pointsec Mobile Technologies Middle East and Africa, insists banks should put more emphasis on better security tools. “There is an inherent lack of security that the internet brings. There are no regulations about how we use it. Therefore, it is important that banks invest in security technologies, such as third-party authentication, intrusion detection and intrusion prevention systems, and firewalls,” Majzoub suggests. “If you are talking about internet banking, then banks should be looking at data integrity. They should be looking at tokens, third-party authentication and how they can monitor the data that is coming in from the outside user. They need some form of network scanning applications that can ensure that the data that is coming in from the outside is clean and not compromised,” Doo adds. While Medvedeva believes that e-banking in the region, in general, is well developed, she advises banks to be more proactive about their approach to security. “You have to look at it in a holistic perspective and think of the big picture. That is what the banks in the region are missing. We tend to go and do small things. For instance, we go and secure one server or secure one desktop. These are small things,” she says. And while desktop security technologies are important, she thinks that it is time for banks to move to the next level. “You can look at threat management, anti-virus, or anti-spyware. These are good technologies. But it is my assumption that all the banks already have this in place. If you look at the security maturity levels, most of the banks should have moved at least to stage two. Stage two says that you have a reactive environment. That means that you have basic controls in place. Now, it is moving beyond basic control, from reactive to being proactive and business driven,” Medvedeva explains. To move up to the next level, Medvedeva says banks should start looking at more mature security technologies, such as access control and segregation of duties, including single sign-on and strong directories. “Banks in the US are already on stage three and four because they are trying already to improve on alignment of business by introducing more and more reporting mechanisms. In the Middle East, it’s number two. We are at the reactive phase right now,” she notes. Majzoub believes that the lack of regulatory policies is the main reason why banks in the Middle East are not actively doing more to improve security. “There is no reason for them to change,” Majzoub says. “If you look at the US and Europe, the biggest driver behind organisations being forced into adopting a more secure approach into banking is legislation. When a government can tell a bank that it needs to address the security flaws within its operations or risk getting penalised if it does not do so, banks will be pressured to do so.” “Unfortunately, we don’t have that here. We haven’t seen any governments or any monetary authority telling banks to take care of this particular topic. I think the only reason this might change is because of the international security acts, such as Basel II, which will come to play in this region,” he predicts. “By default, local banks do business with international financial organisations. Only then will they start to comply because their partners in the US or Europe will force them to comply,” Majzoub concludes. “In many financial organisations IT and business alignment is almost non-existent. The Basel II Accord adds significant tangible value by improving this alignment. This technology alignme- nt has a positive impact not only from compliance standpoint, but also from organisational bottom line,” Medvedeva adds. “It lets you control the controllable,” she concludes.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code