Getting down to business, participants were asked what shortcomings they perceive in the cyber security landscape in terms of preparation. They pointed out a number of areas in banking security that could be improved to tighten up current security practices in the region.
“We need to see banks sharing information about attacks within the industry,” said Darwish Azad, Senior Manager, Group Information Security, Emirates NBD. “Right now if one bank is attacked, it is bad business to let another bank know about a potential threat.” Biju Nair, Head of Audit, Noor Bank, agreed and suggested that the government should play a role in sharing information between institutions. “I feel that regulator presence lacks in the region,” he said. “Banks have been talking about two factor authentication for years, but are not required by law to use such authentication. There needs to be regulations to hold the banks accountable.”
Speaking on the threats facing the banking sector specifically, Rinaldo Oliveira, Head of IT Risk and GRC, Commercial Bank of Dubai, mentioned targets both in the office and out. “There are specific threats that target users, our customers,” he said. “In addition, office computers are an obvious threat, but so too are computers that we take home. With more people bringing devices and more employees taking laptops home to work, the threat level is heightened,” he said. Oliveira went on to say that banks need to focus on detection and prevention. Nair was quick to point out that a great deal of preventative measures are taken through providing awareness to users. “However, there is a difference between security awareness and security behaviour,” he said. “Behaviour is the important thing. We need to analyse whether or not users’ behaviours are changing, particularly with our employees.” Girish Ramwani, Senior Manager, Systems and Applications, Dubai Gold and Commodities Exchange, agreed, saying that security behaviour needed to be standardised from the C-level positions down. “Exactly,” Nair agreed, “executives have access to systems they don’t necessarily need. The chance of an incident increases as more individuals have access to these systems.”
Guidelines and regulations were on the minds of the CIOs in regard to implementing security in the region. “Many countries have guidelines. Not enforcement necessarily, but we need a guide to look to in the local context,” Oliveira said. “Maybe we should have data privacy laws, but from which governing body would it come? I think the first step is guidelines, and enforcement and regulation is next.” Nair agreed that banks in the region are often left to their own devices, with no regulatory review happening for banks.
With banking being one of many industries jumping on the Bring Your Own Device bandwagon, the security situation in banks is becoming more complex. Ramwani described what he thought should happen with BYOD security as the trend moves forward, “There should be a policy coming from management,” he explained, “that is when all the technical solutions come into the picture. From the top to bottom there needs to be a policy on how it should be handled. This is where I think things are lacking.” Sameh Sabry, Regional Professional Services Manager, Spire Solutions, explained the confusion further, “First we need to define BYOD,” he said,” It means something different to every enterprise and the solution will be different depending on how your enterprise defines BYOD. What is your BYOD plan trying to accomplish and how do we contain all the security issues and mitigate attacks?”
Finally, the group reflected on the importance of protecting users as well as protecting devices. “People still write their password on paper and stick it next to their PC,” said Ali Kilany, Senior Officer, IT Support, Dubai Islamic Bank. “No system, no matter how robust, can protect us from that sort of behaviour.” It is a story that, while the participants found amusing, is all too real. The group then suggested innovative ways to encourage employees to break bad habits. “To motivate people we had competitions every month and had prizes like laptops and mobiles,” recalled Sabry. “We developed people’s understanding immensely this way.”
The banking industry is one of the most sensitive areas when it comes to security. The way our money is handled is of utmost importance, whether it be for an average citizen, a company or a government. As the security landscape changes, it is vital to prepare our regions banks for potential threats.