There’s been a proliferation of alternate payment methods and large-scale digitisation of underlying infrastructure, according to an EIU report.
Much of this comes from a broader push around digital banking, McKinsey says - an area where there is “no uniform formula or proposition”, and where a wide variety of business, service and regulatory oversight models are currently supported.
It is important for the sector, as well as for Australia’s economic reboot and recovery, that this reshaping of financial services is successful and secure. To this end, we see three emerging factors as being critical to success.
Re-architecting for resiliency
According to Australia’s central bank, the move to “widespread” remote working and electronic payments over the past two years made banks an even more attractive target for attacks.
That corresponds with our own experience in the sector.
Bank employees have become highly distributed, meaning the corporate and web-based apps they use must be extended past the traditional boundary of the office to where employees now work, without compromising performance.
The resiliency of customer-facing banking websites and payment services has also never been more critical. These services are increasingly made up of a number of APIs or other web-based components, which must be always-on and function in concert to enable a process to be executed, such as a payment to be made.
Regulators have taken a more intensive interest in this space of late, given the elevated importance of electronic payments and the not infrequent stories of banking customers being left at petrol bowsers or assisted checkouts unable to transact.
The need for resilient, low-latency and secure delivery of web-based applications and APIs, for internal and customer-facing consumption, has led to renewed interest in next-generation web application firewalls (WAFs) and web security tools.
More specifically, financial services firms are combining content delivery networks (CDN), edge compute and security tools to make sure apps, both internal and externally facing, are fast, secure and highly available.
Australia’s financial industry has consistently reported high levels of data breaches compared to other industry sectors since mandatory reporting of incidents began in early 2018.
In some ways this is not surprising, insofar as banks have an enormous attack surface and are holders of the kind of personal financial data that makes them an attractive target. While breaches of some form are frequent and consistent, none so far have been so severe as to destabilise the entire sector.
Banks are relatively well-resourced for security purposes compared to other sectors. However, internal resourcing alone may not be enough to thwart a destabilising attack.
The Reserve Bank of Australia believes a breach with “systemic implications” and that “could lead to widespread stress in the financial system” is inevitable, though it adds that “financial institutions and regulators are focusing on strengthening the resiliency of individual institutions and the financial system” to mitigate against many being caught in the ripples of a successful attack against one firm.
The Australian financial services sector could also benefit from stronger sharing of threat intelligence. While a threat intelligence community in the sector already exists, it could benefit from improved visibility of threats seen in other geographies.
In the past, we’ve seen attacks against banks move from country to country as attackers evolve their campaigns. Confirmed attack feeds like the Network Learning Exchange (NLX) offer intelligence and early warning of attacks targeting web applications in one part of the world, neutralising the ability for these attacks to spread.
Securing online banking and other crucial financial services is not just a single vendor or industry challenge. We all need to work together to solve this.
A third major challenge confronting Australia’s banks is the need to find more skilled technology staff and to bridge knowledge silos between technical teams, but also between technology and ‘the business’.
Almost all of Australia’s major banks have large-scale recruitment drives underway, all competing to hire talent from a limited domestic candidacy pool. As Australia eases border restrictions, this will ease some of the more immediate recruitment pressures.
Ongoing efforts will be required to create a shared mindset or responsibility internally for cybersecurity. Silos between development, security and ‘the business’ need to be dismantled.
In many organisations, development teams may only meet with the security team once a month. To raise security awareness and adherence in code and product development, these meetings should be more frequent.
In addition, work needs to be put into formulating a common language across teams so that no matter who is talking about a security-related issue, there is a shared or common understanding of what is being asked for or discussed.
Stephen Gillies, technology evangelist APAC, Fastly