By David Rajoo, Head of Systems Engineering, Malaysia, Palo Alto Networks
Bank Negara Malaysia’s implementation of a regulatory framework for digital banks and the subsequent announcement to issue 5 digital banking licenses by 2022 are clear signs of the government’s openness to embrace digital transformation in the finance sector. These latest developments are also timely – according to a recent survey by analytics software firm FICO, 61 percent of Malaysian consumers prefer to use digital channels to engage with their bank during financial hardship, which signals that Malaysians might welcome digital banking and conveniences it may bring.
Digital banks, or neobanks, are set to reinvent banking and finance in Malaysia and other parts of the world, with the aid of popular disruptive tech such as 5G and cloud services These banks offer the services of a traditional bank, such as applying for a loan, opening an account or investing in financial markets, without the need to visit physical branches, while still observing compliance to financial guidelines such as know your customer (KYC). These fully digital services mean greater convenience for users and the opportunity to connect underserved consumers in the country. With the imminent adoption of digital banking services, digital banks’ ability to secure this massive network and infrastructure will be the key to ensuring trust in this new digital ecosystem.
Where the risk lies
Financial institutions (FIs) such as banks have always been attractive targets for cybercriminals due to obvious reasons – the amount of money, as well as the critical information that they keep. Digital banks will potentially process even larger volumes of such data over their networks. Fundamental components of cloud native applications such as Application Programming Interfaces (APIs), interfaces which allow software solutions to communicate with each other, also present a security vulnerability to banks who use them by giving cybercriminals potential entry points to circumvent and exploit.
This is further complicated by the complexity of the modern software supply chain. Digital banks will naturally partner with third party vendors to provide various innovative payment services for users, which opens them to possible attacks through weak links if they are not secured properly. This dramatically increases the number of attack-points that cybercriminals can exploit to access the bank’s data and systems. Such an attack is known as a supply chain attack. An example of a recent high profile supply chain attack was the SolarWinds breach which potentially compromised the data of up to 18,000 customers, including FIs, using SolarWinds’ software.
Ransomware is one of the major cybersecurity threats to FIs due to the high value information they store. Ransomware is a type of malware that encrypts a victim’s files and demands money for it to be returned, often disrupting operations. Through a process known as double extortion, ransomware operators may even leak the information if the organisation refuses to pay the ransom in extreme cases. This sinister type of attack has already caused millions of dollars for organisations abroad and is already posing a threat to companies in Malaysia and ASEAN as well.
Gaining public trust by adopting ‘zero trust’
For digital banks to compete with the established incumbents, building customer trust needs to be a priority and this entails robust cybersecurity measures. Digital banks will require security that is comprehensive and rigorous, given the colossal amount of data being moved through multiple cloud environments within their networks.
The best way to build trust in digital banks’ networks is to adopt a Zero trust approach to cybersecurity security architecture, which basically means nothing should ever be taken for granted or assumed safe by default. Specifically, zero trust is a dynamic IT security model that eliminates the notion of trust to protect networks, applications and data. This relentless process of inspecting all network movement will go a long way in setting up a digital business for success for a few key reasons. Firstly, users will be accessing the bank services from any location and zero trust is not dependent on a location and can be delivered directly on a device or through the cloud. Zero trust security can also be achieved by adding on to the existing network architecture, without the need to replace existing technology. Tools and technology that are already owned by companies can still be used in tandem with this new security approach.
Building trust is a concerted effort
Cybersecurity is a shared responsibility and the onus is also on end users to ensure that their valuable data is kept safe from prying hands. On the other hand, businesses will need to take a proactive approach to stay ahead of the curve to protect themselves, and in the case of digital banks, their customers as well.
Before partnering with digital banks, enterprises should also do their due diligence to ensure they have sufficient security measures in place, including a comprehensive cybersecurity framework such a ‘zero trust’ as well as agile security application capabilities. These capabilities should include DevSecOps, security audits, vulnerability assessments, and penetration testing.
DevSecOps for instance, involves making software security a core part of the overall software delivery process. Traditionally, the different aspects of software security operations have been performed separately from each other – developers wrote code, and IT teams deployed it without thinking much about security. It was only after software was written and placed in production environments that security engineers would check for potential vulnerabilities in the code or the environments hosting it. DevSecOps, streamlines this process by integrating security into all stages of the software delivery process, ensuring that developers think about security when they write code that software is tested for security problems before it is deployed, and that IT teams have plans for addressing security issues quickly if they appear after deployment.
Customers also need to understand how the banks will use and store their data, and pay attention to cyber hygiene best practices. This includes learning to identify common phishing scams, avoiding the use of public Wi-Fi networks when accessing their digital-banking accounts and using different passwords for different banking applications rather than using a single password for all logins. Robust multi-factor authentication is also a must and should be utilised by the customers of these neobanks to ensure digital identities are sufficiently protected.
The successful launch of digital banks in Malaysia will propel the finance sector into a new epoch and transform the industry for both enterprises and consumers. However, cybersecurity will be a critical success factor in the journey towards building consumer confidence and a single cyberattack or data breach on a digital bank could impact the public’s trust in digital financial services and erode any momentum gained. Hence it is imperative that Malaysia prioritises cybersecurity and a preventative approach is going to be critical to the overall digital transformation plan.
