Year 2018 was full of cyber-attacks and the most serious news was about well-orchestrated cyber-attacks on banking industry. No matter how much awareness is generated, unfortunately the banking industry seems to be waking up only upon hearing about an attack and becomes sluggish on cyber security.
While providing consultancy to many banks, in different geographical areas, different sizes etc, I talk to IT heads and CISO. It made me realise that they are in a great deal of confusion in getting the whole thought process together to approach cyber security implementation in their respective banking IT infrastructure. This article is an attempt to articulate various Do’s and Don’ts which might help everyone get a bigger picture and see what is being missed by them.
- Are we performing audits only for audits’ sake or for real genuine compliance and cyber security governance?
- Are we following Reserve Bank Of India (RBI) guidelines which are published periodically?
- Are we creating a threat model of our banking infrastructure to find weakest links?
- Is a detailed vulnerability assessment and penetration testing (VAPT) being carried out frequently?
- How are we deciding the frequency of VAPT? Is it based on risk analysis?
- Are we taking ATM machines into account for a VAPT?
- Are we selecting cyber security consultant or vendor only based on referral/connection, and not on their experience and credibility?
- Are we treating our cyber security consultant or vendor, as a partner or only as a vendor?
- Are we considering ISO27001 and PCIDSS standards implementation to strengthen our security?
- Is a cyber-security internal awareness session being conducted by internal people or by hands-on industry experts?
- Are the whaling and phishing attacks part of internal awareness program?
- And the last one is – are we treating bank’s cyber security as an IT risk or a business risk?
Please be advised that the last one above is extremely important. This is because usually it is forgotten by bank’s management that cyber-attack is about information leakage as a whole, and not just about IT server or desktop data leakage.