They didn’t know it was impossible, so they did it
Banking has changed in the face of the pandemic and is the more secure for it, according to Katy Leclaire, Chief Risk Officer, Cedric Bauer, Business Continuity Manager and Eric Bendavid, Chief Information Security Officer on Societe Generale's Transaction Banking team.
Any potential cyberattacker who thinks that Covid-19 has created some kind of open season on users of high-end technology systems really ought to think again, and go and lie down in a dark room until the urge to engage maliciously subsides. Client protection is very much at the top of our list of priorities and we work endlessly to ensure their security.
No one could possibly have forecast what the entire world would come to experience in the past few months. But the banking sector has been at the forefront in the struggle to come to terms with the effects of the pandemic – quickly acknowledging the new and multi-faceted challenges facing it and reacting accordingly, adapting as required.
In the words of the Mississippi author Mark Twain, “They didn’t know it was impossible, so they did it.” Or, in the rather more prosaic words deployed within Societe Generale: clients can rest assured that we had control, we have control now and we will continue to have control.
The major challenges of the crisis
We were faced with two main issues when it became clear that government response globally to Covid-19 would require many of our colleagues in cash management and international payments to work from home, with some managers very wary of people working without the customary supervision.
The first was a purely operational challenge. How do we enable people in such a sensitive area of work to do that? The second was an awareness of the possibility of increased levels of cyberattacks. While we were certain that we were not at excessive risk, thanks to existing technology and processes, we needed to ensure that all risk was further mitigated.
We weren’t starting from a zero base, as we were already geared up to enable a large number of staff to work from home one or two days a week. But we had to establish access to the full scope of everyday working functions so that they could carry on working and meeting client needs as if they were in their normal professional office environment. This obviously includes authorizing very large payments, both to clients and by clients.
On the first point, we had already strengthened security measures surrounding the technology needed to connect to the bank’s internal systems – concealing logs, for instance, and not allowing everyone to open certain applications. The advent and rapid spread of Covid-19 forced us to take a new look at the existing processes.
This required us to open a new channel of communication with the financial industry’s regulatory authorities to discuss questions of compliance and operational risk. The regulators agreed that the question of operational risk was one for us to address and resolve ourselves.
We quickly concluded that with appropriate controls and checks in place, there is no more risk arising when our colleagues work from home than when they are working in the office. It was then up to the IT professionals to explain this to the banking business professionals, and for them to decide whether they could feel comfortable with the change. There soon followed the decision to authorize only senior staff with demonstrable in-depth knowledge to access the bank’s systems from home.
On the issue of cyberattacks, we were already accustomed to carrying out internal, large-scale exercises to cope with such attempts – for example, phishing, a well-known scam that uses fake e-mails claiming to be from a well-known company to fraudulently acquire information from the recipient. These exercises, which took the form of fake attacks and drills, were designed to raise staff awareness of the look and feel of cyberattacks and to train them in how to respond appropriately.
The exercises have now stopped, so our staff know that any attacks they might encounter are real and must be treated as such. At the risk of holding ourselves hostages to fortune, and of throwing down a gauntlet to would-be malefactors, our checks and controls have clearly reduced the chances of identity theft and the illicit acquisition of passwords, among other things.
We have embedded the practice of automatically interrogating any single proposed payment action, to establish above all whether the action fits within established user patterns. But there is no room for complacency. Cyberattackers have a tendency to become ever more clever in their methods, and we will never lose sight of their continuing threat.
In this pressured environment, greater emphasis than ever is placed on artificial intelligence and its key role in our industry. Whatever IT systems are in place, however, people and their informed judgment provide the best form of defence.
Where are we now?
In the wake of Covid-19, we have introduced a number of other specific defensive procedures to ensure that it is safe for the bank’s cash management and payments staff to work from home.
We have adapted and improved, and will continue to adapt and improve. Preparedness, training and vigilance remain essential watchwords in delivering the full range of client services.
It is no exaggeration to say that Covid-19 has accelerated a long-established trend in changing attitudes to traditional working practices and taken us to the threshold of a new normal, in which staff can work from home – 100%, permanently and securely – should the need arise. And clients will almost certainly not notice any difference to their everyday interactions with the bank.