In the first part of this article, we broached the issue of cybercrimes taking on new and complex dimensions in the current state of digital banking. We also discussed security design, which balances usability and security, as part of the cybercrime mitigation controls. In this second part, I will elaborate on some of the measures being taken to ensure that both customers and banks are protected.
Most banks have implemented multifactor authentication mechanisms which add a layer of protection to the sign-in process and funds transfer functions of their online banking solutions. When accessing accounts or apps, users provide additional identity verification, such as scanning a fingerprint or entering a code received via phone or email. This ensures, to a large extent, that a bank is dealing with the actual person.
These are further augmented by Know Your Customer (KYC) checks for confirmation of the customer’s personal details. On mobile apps, there are several background tools that are used to confirm every transaction for the protection of the customer without sacrificing convenience. Another critical thing that remains key is user-awareness through various channels. As the saying goes in the security fraternity, ‘your security programme is as solid as your weakest link’, and usually the weakest link is the human element in the chain.
A bank can develop massive security controls, but if the human element within the chain is not diligent enough, the entire security architecture and technological investments will be close to being useless. Consequently, banks put a lot of effort into creating awareness and educating customers. There is some information a bank will never ask customers to divulge. Information such as username, password and bank account details are the preserve of customers; and when they are made aware of these things and other risks, they become vigilant and diligent. This diligence then complements the security provided by the bank, making it whole.
Another significant element in providing security for bank customers beyond awareness-creation is collaboration with regulatory and security authorities. Fortunately, in late 2020 the Parliament of Ghana passed the Cyber Security Act 2020 – which spells out what we must do as a country to be able to secure our cyber space. Banks, as key stakeholders, made critical inputs into the Act to ensure that it covers all dimensions of cyber security concerns in today’s world. But even before the Cyber Security Act 2020, the Bank of Ghana – which is the regulatory body for all banks and financial institutions in Ghana, had in place a cyber and information security directive (issued in 2018) that it enjoins all banks to adhere to.
Apart from local laws and regulations, there are international banking standards that banks adhere to. There is the Payment Card Industry Data Security Standard (PCIDSS), an information security standard that handles branded credit cards from the major card schemes which banks must also adhere to. Being PCIDSS-compliant means you have security standards in place for all your payment cards. Additionally, the International Standard Organisation’s (ISO) ISO 27001 provides requirements for an Information Security Management System (ISMS) that banks must pass to be deemed secure. Stanbic Bank for example, has both PCIDSS and ISO 27001 certifications, affirming the bank’s commitment to protecting its customer’s information.
As a bank, we collaborate with key institutions such as the Bank of Ghana (BoG), the National Cyber Security Centre and the Cybercrime Unit of the Criminal Investigations Department (CID) of the Ghana Police Service, to ensure we have adequate threat-intelligence and collaborations. We have an internal strategy we call ‘PPDR’ – predict, prevent, detect and respond to the threat of cybercrime. All these measures and interventions are put in place so we can provide our customers best banking services while ensuring that they remain secure.
The writer is the Chief Information Security Officer, Stanbic Bank