Bankers have a reputation of being very conservative and well, frankly, boring. As an ex-banker I’d like to defend this and say that rather than the image of grey suited accountants, they should be seen as heroes like Tom Cruise in Mission: Impossible. After
all – bankers are in the risk business – and are taking risks every day.
Here in Malaysia, bank branches have a little more edge to them, with armed guards casually caressing shotguns and looking very bored – you don’t get that in sleepy Norfolk where I live when I’m in the UK. The point is that bankers adapt locally to the risk,
and balance it on how to mitigate the risk. A branch has the possibility of getting robbed – and the bank puts in compensating controls to reduce that risk – but short of never letting anyone in the branch it will always have the possibility of getting robbed.
A recently published report by an ethical hacking group about industries and their protection against security breaches, gave me a new perspective on data security in banking– especially in light of the recent frauds against Middle Eastern banks. Some interesting
things struck me about their figures. The banking industry was one of the better protected – but does take a long time to close loopholes once discovered. Also, 71% of banks had systems that track for online fraud. Which put another way, means staggeringly,
29% do not.
The reality is – like being robbed, banks will suffer data breaches. This is a worldwide threat. The risk can be mitigated by many security controls and some recent breaches were made remarkably easy by merchants and processors using non secure ‘root’ passwords.
This is the equivalent of leaving the vault door open and letting the security guard have an afternoon sleep.
It is equally as important that, should a breach happen and a bank is impacted financially, they know as soon as possible and can reduce the impact. In the card world they need to ensure they are checking for unusual transactions. This cannot be done the
next day looking at a couple of paper reports that reach a desk around lunchtime, an approach still used by a surprising number of banks. This needs to be done on a 24/7 basis – after all it only took 24 hours to take out $40m in one recent fraud.
I appreciate none of this is quite as exciting as Tom Cruise swinging from very tall buildings, but in this age of the cyber heist being one of the most lucrative criminal occupations, diligence is the key attribute to reduce fraud risk.