HDFC Bank executive vice president and chief information security officer Sameer Ratolikar shared cybersecurity challenges and strategic and technological initiatives being undertaken by the bank
Banks are rapidly undertaking digital transformation and building collaborative ecosystem with third parties. Cyber criminals on the other hand are becoming increasingly sophisticated and innovative. The data perimeter has thus extended across channels, networks and partners, expanding the attack surface. These attacks result not only with monetary losses but also damages the reputation of banks and trust of customers. Traditional measures often fail to thwart these attacks, forcing banks to rapidly upgrade their cyber defence.
HDFC Bank is India’s largest private bank by assets and market capitalisation. Sameer Ratolikar, the executive vice president and chief information security officer at HDFC Bank, is an information security expert with over 25 years of experience.
Ratolikar shared the key cyber security concerns the industry faces today and how the HDFC Bank is adopting new technologies to counter these cyber threats.
“The biggest concern today is the emergence of sophisticated malwares. Hackers write new codes such that they can evade the available traditional security controls and exploit the system security vulnerabilities,” pointed Ratolikar.
“Second, with the emergence of the internet of things, the pool of IP addresses has increased. It gives hackers the capacity to launch the distributed denial of services (DDoS) type of attacks that makes the infrastructure unavailable for a longer period of time. They now have capabilities to launch a DDoS data attack worth 1 to 1.5 terabyte which is way bigger than 30-40 Gbps in 2015-2016,” he added.
The financial services industry has been witnessing increasing incidents of DDoS attack recently. For instance, Lloyd’s Bank was hit by a DDoS in 2017. In 2018, several leading European banks like Santander, Royal Bank of Scotland, Tesco Bank and Bank of Spain were also reportedly attacked.
“The third challenge for all of us is to have a verifiable security to manage core cyber-security. However, we don’t have appropriate skills in the industry and face shortage of excellent security professionals. This is a challenge faced by all,” commented Ratolikar.
With the increase in application programming interface (API) adoption for digital ecosystem, there also remain concerns regarding API security.
“One other concern is the vendor risk and data exchange risks with vendors and third parties. Digital disruption has created a lot of security concerns in terms of open banking or APIs. We have to ensure that we have complete visibility of who is accessing our infrastructure, at what time and for how long,” he added.
He explained that banks need to have the right people to develop the APIs, have the right processes and the policy framework of governance around API management. They need to keep in mind the complete API or open banking security.
“One other important concern is also about the data residing with third parties. So your data may be well protected within your own data centre, but that may not be true when this data lies with the vendor,” he pointed.
Increasing end point vulnerability
There have been several alarming incidents of data breaches, recently. Yahoo reported records theft of three billion customers, while the personal information of 143 million Equifax customers were compromised. Facebook, on the other hand, reported that 50 million accounts were exposed by a security breach. These data breaches have a ripple effect, as access to customer information provides new opportunities for financial frauds, especially in credential stuffing using bots.
Akamai Technologies, in its “State of internet/Security Report 2019”, mentioned that it detected nearly 28 billion credential stuffing attempts between May and December 2018.
“It is a concern that the customers use the same passwords across social media, email addresses and for inter-banking critical transactions. As a result, if a fraudster gets access to email logins, he could use it to also do unauthorised banking transactions. It is very important that the passwords for critical business and financial transactions are absolutely different. But many people don’t do that,” explained Ratolikar.
“End point vulnerability is growing rapidly and is exploited by hackers. Data centre hacking is difficult because of their layered security built in the organisations, but the weakest link in this ecosystem is the user. A sophisticated malware could get injected into the system through an email attachment if the user is not careful,” he added.
This puts banks in a difficult situation as they can only constantly inform and educate the end point users towards these risks.
Emerging technologies and new security measures
Relying on traditional security measures is likely to fail as threats rapidly evolve. Banks require a multilayered security and fraud prevention measures across its own systems as well as third parties and vendor systems. In addition there is need for constant monitoring and analysis of traffic in real time with instant incident response. Many leading banks, including HDFC, have invested in 24x7 operational centres for this.
The use of emerging technologies like artificial intelligence and machine learning is now facilitating banks to improve their real time threat intelligence to counter sophisticated threats.
Talking about adoption of new technologies for cyber security at HDFC Bank, Ratolikar said, “We are still in the discovery phase for Blockchain, but artificial intelligence (AI) and machine learnings are definitely initiatives that we are embarking on. We have some proof of concept carried out with leading vendors in AI and it has shown huge potential to detect frauds easily, including complex frauds that cannot be detected by traditional security and event monitoring tools.”
“The second initiative is around the data protection. We don’t only look at data exchange security for prevention, but we look at it as the data lifecycle security. This includes data security in storage, transit, archival and also security reviews. So we need to address all these elements and also protect against the third-party or vendor risk, tighten the contractual agreements and develop solutions whereby the vendor will be able to connect with us but the data will not reside at their end,” he pointed.
Data is one of the most valuable resources that banks have today. The ability to generate effective, timely and right insights from data can differentiate the winners from losers. Building the right data intelligence however needs to be accompanied with the right framework of data governance.
Banks are also increasingly exploring greater use of cloud-based systems to improve their operational efficiencies. However, many banks in Asia are still cautious in their approach, owing to concerns about data security in a cloud.
“I don’t think that a lot of banks are moving critical data to cloud, they are moving only non-critical data like email systems to cloud. I am not keen to pour our customer-centric data to cloud. In my view, cloud space is developing reasonably well and has managed to gain customer confidence but we are still in the discovery phase. We will take the approach based on cost justification and if there is a really strong business case,” shared Ratolikar.
Ensuring minimal human errors is essential to prevent cyberattacks. Ratolikar explained that they have also taken up customer and employee awareness with innovative messages and testing the effectiveness of their training programs.
The right cyber security defence will thus require a combination of people, process and technology. As the cyber security concerns become more innovative, it becomes increasingly challenging for information security experts in banks to ensure adequate safety. The preventive measures are often only as good as yesterday. Banks need to be constantly on their toes and continually evolve their preventive measures to new emerging threats.