Cybersecurity fintech Sequretek was recently named one of the ICBA’s 2022 ThinkTECH partners. BankBeat spoke with its co-founder and CEO, Anand Naik, about today’s ever-evolving digital threats.
What’s the broad outlook for cybersecurity?
Anand Naik: Cyber threats are continuously evolving with more stealth and sophistication. Advanced and hard-to-detect threats such as targeted phishing attacks, ransomware, coin miners, trojans, zero-day threats, and persistent threats are today’s biggest threats for banks.
Poorly configured and managed security products, unpatched systems and applications, vulnerabilities in applications and operating systems and lack of employee awareness that leads to system compromises, are among the main vectors exploited by attackers to get into the bank’s environment.
Apart from the above, nation-state sponsored crime is fast evolving. These attackers work with infinite tools at their disposal. Nation threat actors that attack critical banking infrastructure by exploiting system, people and process vulnerabilities will become the mainstay.
Banks probably already have solutions in place to help prevent these. What is new?
A.N.: Artificial intelligence and machine learning is being used in a big way to solve the complete security challenges of the future. Products and tools that the banks evaluate for the future need to use AI and/or ML to perform key tasks such as threat detection and prediction. Tools that perform advanced analysis in real time and over a time period with bank data, comparing it with global threat intelligence or banking industry specific threat intelligence, is another way banks can improve their security posture and reduce risk.
Cybersecurity vendors today offer many point solutions to solve different aspects of security for banks. With the complexity that each solution brings, you need additional resources with the accurate skillset to manage it. This adds to the overall cost and can, in some cases, lead to poor security configurations. Also, regulatory compliance becomes a big challenge.
How do you balance giving employees the ability to do their jobs with maintaining security?
A.N.: Bank IT departments are constantly striving to meet the dual challenge of the employees asking for anytime, anywhere, full access for better productivity on one hand, and regulators asking for locked-down, least-privileged access on the other.
Employee security awareness programs coupled with automated role-and-responsibility-based access control mechanisms solve this critical issue of providing the right environment for all to do their job.
At the end of the day, someone must be entrusted to oversee the tools. How do you manage access?
A.N.: Robust IT security for a bank is a combination of the right people, processes and technology. Tools that provide full visibility of security data in the bank’s environment and allow for automation of response to IT security incidents would help secure the environment. This coupled with an appropriate solution to automate all access and manage identity governance would help create a robust security platform.
Banks’ adherence to laid out standards such as the FFIEC or NIST guidelines could serve as a template for process automation. An IT security team who is experienced and well-versed with these tools could potentially create the appropriate governance framework needed to protect the bank.
Are there specific concerns for banks under $10 billion?
A.N.: Community banks have to deal with limited resources and IT staff as they aim to create differentiated offerings using digital fintech tools. The problem of security and compliance for these banks can be broken down into three distinct areas covering both external and internal security threats.
- Data at Rest (within applications): This covers security implementation for all systems — on premise, cloud or hybrid. Security products and processes need to be implemented to prevent, detect and respond to security threats.
- Data in Motion / Transit: This covers security implementation (technology and process) for all data in transit scenarios such as payment processing.
- Data at Endpoints (user/employee devices): Device protection and isolation tools to prevent data compromise through endpoint devices.
Banks need to evaluate the fintech solutions with respect to the above while undergoing their digital transformation journey and at the same time reducing the risk emanating from such a transformation.