Seeing off the cybercriminals
The sudden shift to digital banking channels as a result of coronavirus lockdowns creates significant cybersecurity challenges for the banking industry. Those institutions furthest progressed towards safe digitalization will stand out as part of the solution to today’s challenges, and will become crucial actors in the post-Covid-19 world.
These are unprecedented times. Clearly the critical response required from the banking system is to support businesses with loans and grants, and to support individuals and families with flexibility around their finances. However, the current situation is also creating additional threats to clients, employees and the financial system itself – digital threats, resulting from a dramatic acceleration of pre-existing trends in digitalization. And banks must respond to these just as effectively.
Protect the client
Forced to stay at home, clients have little choice but to interact with their bank through digital channels. Many of these clients are unused to the idea of cyberthreats and protecting them from scammers is a huge challenge. The use of coronavirus as a topic in malicious emails designed to infect user devices has surged since the global pandemic was declared. On April 16, Google announced that the previous week saw 18 million daily malware and phishing emails related to Covid-19. This is in addition to more than 240 million daily Covid-19-related spam messages.
For CaixaBank, Spain’s leading retail bank, cybersecurity is a strategic priority, and information protection for its nearly 16 million clients is essential. For this reason, the bank has a team of cybersecurity professionals working 24/7 to monitor all types of cyber threats in order to prevent them, or detect them as soon as possible, manage a response quickly and minimize their business impact.
The bank’s aim is to protect the client’s data, operations and financial transactions to ensure that they take place in the most secure environment possible, thus preventing external threats that can jeopardize their confidentiality and privacy. For example, the CaixaBankProtect guarantee protects clients from the unauthorized use of their bank’s digital channels and payment methods.
Protect the employee
Remote and mobile working was already part of most banks’ strategies. However, the enforced shift of much of banks’ workforces to their homes has put most employees outside the normal cybersecurity perimeter. The attack surface has become much larger, as has the number of potential vulnerabilities.
Cybercriminals are exploiting these issues – and the understandable anxiety over Covid-19 – to try to break into banks’ networks. Scammers are posing as helpdesks; they are embedding malware attachments in pandemic-related documents that seem to come from government, health or aid organizations; and they are sending emails that imitate those sent by senior management.
These cybersecurity threats make employees an even more critical ‘human firewall’, precisely at a time when they are working in unfamiliar ways and surroundings and are separated from the co-workers whose advice they could seek about suspicious calls and emails. Moreover, chief information security officers and their teams have often been scattered geographically, and with their need for unfettered access to the most sensitive systems and information, banks’ remote security teams risk becoming the weakest link.
CaixaBank is a pioneer in security coordination and research. In this respect, the bank has rolled out a cybersecurity ecosystem with specialist teams and infrastructure to provide protection against security incidents. Its employees are equipped with a workplace solution enabled to securely work remotely with collaboration solutions, VPN connections and telemetry. Furthermore, the bank supplements its technology with action to raise awareness and promote a culture of security among employees. Launched in 2015, the InfoProtect programme provides continual training on cybersecurity to employees and clients. In 2019 alone, the bank invested more than €50 million in information security and 98% of employees participated in a course on cybersecurity.
"Cybersecurity threats make employees an even more critical ‘human firewall’, precisely in a moment when they are working in unfamiliar ways and surroundings"
Protect the bank
This sudden shift online and onto mobile is, above all, a test of the scalability and resilience of banks’ infrastructure (itself a key element of each country’s critical national infrastructure). The accelerated trend towards online means banks are more reliant on these channels than they may have anticipated at this point. So, banks need to check daily if their websites are securely scalable to meet additional client demand and they need to ensure that their digital services would remain operational even under attacks designed to disrupt the service, such as DDoS or ransomware.
CaixaBank has drawn up an information security master plan, to keep evolving its capabilities and benchmark against top performers, and it reports frequently on its progress to the top management of the bank and to the relevant supervisory authorities.
Protect the financial system
More than ever, collaboration and sharing of best practice in the industry are paramount. CaixaBank’s IT security working group spearheads a number of alliances with other expert cybersecurity organizations at a national and international level.
The bank is a member of key international forums, such as the Forum of Incident Response and Security Teams (FIRST), the Messaging Anti-Abuse Working Group and the Anti-Phishing Working Group of the United States. It also represents Europe in the global awareness campaign StopThinkConnect.org. Within the EU, CaixaBank is collaborating actively in different Horizon 2020 innovation projects, including Project Concordia, and it leads an effort to establish standards for Cloud security in Europe – vital as banking (and banking clients) increasingly rely upon cloud providers who are becoming systemically important.
Securing the new normal
Regardless of how the coronavirus crisis is finally resolved, it is unlikely that banking clients and employees will revert exactly to their previous roles and channels. Institutions have seen the benefits and costs savings of increased homeworking; clients have seen the flexibility and functionality of their web and mobile apps. There will be a new normal and a more digital banking ecosystem is here to stay.
Only banks with established digital strategies will be able to address successfully the challenges that this accelerated digital transformation throws up, providing the security needed in times of uncertainty. Safe, trusted, cyber-secure banks will be a key part of the global fight to curb the effects of the coronavirus and crucial actors in the post-Covid-19 era.
• Retain and attract best cyber talent for the organization.
• Enable the business through transparent and adaptive security.
• Implement redundant and layered controls to protect digital assets.
• Provide simple and clear KPIs to measure security performance.
• Proactive security risk management and business continuity.
• Continuous crisis simulation and penetration testing.
• Be prepared for future IT wave and foresee security impact.