81 million dollars, that was the sum hackers stole from the central bank of Bangladesh this year in April by breaching the international payment system SWIFT. Three other SWIFT hacks followed quickly in other banks. SWIFT reacted by announcing security improvements, including two-factor authorization, after first remarks that the reasons for the successful attacks lie with the robbed banks and their compromised systems.
Whoever has made a mistake here, maybe all involved parties, the growing number of cyberattacks against banks is not really surprising, since hackers tend to go where the money is. And even if the Bangladesh case might have been the biggest assault so far, it is just one in a long chain of attempts and conducts of online bank robberies. Cybercrime has become the biggest risk for financial institutes today. The reason behind this are – besides the money - often the heterogeneous legacy systems of many institutes, which simply weren’t originally built for the cyber world. They open huge doors for successful attacks. What does that mean for financial institutes? First, they urgently need to consider a huge paradigm shift concerning IT and information security.
For years the last bastion against digitalization, many banks successfully withstood the cloud and all later developments like IoT without their business models having to suffer. They maintained their own infrastructures in secluded data center silos and kept running their own monolithic systems for core banking applications. Customers, both B2B and B2C, accepted this. It seemed to be safe and normal. (It had also to do a lot with regulatory requirements, of course.)
This initial situation has however changed dramatically: More and more young and dynamic competitors enter the market. Most of these fintechs specialize in a certain aspect of financial services and use the latest technologies to communicate and deal with clients when needed everywhere in real-time. Traditional banks already notice the heavy winds of change through a decreasing number of younger customers, “millennials”, who like to bank mobile “on the go” and put more trust into peers than into classic institutions.
To stay relevant by becoming more agile and satisfying the needs of connected consumers, banks have, at least partly, begun to integrate the new world into their business models. However, this also demands rethinking of information security questions. In a hyperconnected world the old perimeters like firewalls are not of much use any more, if at all. With IT being anytime everywhere and more and more people, devices and things becoming connected with each other, the attack surface grows exponentially. New threats arise in these internal and external relationships, elaborated phishing and privileged user attacks just being two examples.
The perimeter shifts to the identities of people, KYC (Know your customer) compliance being one example, but also devices and billions of ever new things. In this context the further development of blockchain technology with advanced identity and access management prospects promises a huge leap for worldwide secure and transparent financial transactions (unforgeable records of identity, no double spending possible, automated verification, self-executing contracts, encryption, data integrity through time-stamps, hashing etc.), even though certain limits to this innovative technology still
need to be addressed. Could they e. g. better be solved with permissioned, private ledgers, where only known users are enabled to participate? SWIFT seems to be already experimenting on this.
Whatever the solution(s), Security and Privacy may not be an afterthought anymore. Both need to start right with the development of products and solutions. Many industries have already understood that. It’s time for the digital finance world to internalize the concept of security and privacy by design too. I can almost hear those who say that this will hinder and agility and slow processes down. In fact, it is clearly the other way round and cannot be emphasized enough: Security and Privacy by Design help any business to become even more agile than ever before. They’re actually the foundation of successful and economic Agility by Design.
Of course many banks already considered “security by design” even in their old mainframe infrastructures. In fact, they were often really good and quite progressive at it, with dynamic authorization (ABAC) and so forth. Sadly, these efforts don’t count much in a highly dynamic and digitalized world. Agility by design can today only be reached by thinking security by design anew and by also realizing the regulatory demands of privacy by design. If they do both aspects right, financial institutes stand a good chance to persist also in completely new competitive and risk environments. This won’t work with the old core banking IT however, since it is neither agile nor secure enough and it also doesn’t fulfil modern privacy requirements.