Ethical Hacking: Keeping Data Safe in the Financial Services Industry
By Arijit Banerjee
The basis for ethical hacking is simple yet powerful: you allow good hackers to gain access to your systems to prevent the malicious ones from doing damage. Even one of the world’s most secure bastions the US Department of Defense has opened up their systems to ethical hacking. Hack the Pentagon, Hack the Army, and Hack the Airforce are bold initiatives to leverage crowd-sourced security. These initiatives are clearly indicative of the power of crowd-sourced security and the role it is likely to play in the future.
On the corporate front, while no sector is immune to cyber security threats, the banking and financial services industry faces unique risks due to the sheer magnitude of transactions and sensitive nature of consumer data. Financial institutions (FIs) are subjected to cybersecurity attacks 300 times more frequently than businesses in other industries. The cost of repairing such breaches averages a staggering $7 million a breach. Even as FIs invest in improving their cyber security posture to protect their customer’s privacy, and minimize cyber risks and costs, they are exploring other avenues of fighting cybercrime such as hiring ethical hackers.
An ethical or white hat hacker is an IT/IT security professional who analyzes data security structures through penetration testing to identify vulnerabilities in a FI’s applications, systems and networks. It provides FIs with insights to proactively deal with the security of their assets and information. Top ethical hacker certifications include Global Information Assurance Certification Penetration Tester (GAIC), Offensive Security Certified Professional (OSCP) and Certified Ethical Hacker (CEH). According to 2018 Hacker Report, top earning ethical hackers make 2.7 times the median salary of a software engineer across geographies.
Here are three ways in which ethical hackers are helping FIs bolster their cybersecurity.
Employing an offensive – rather than a defensive strategy
Ethical hackers use strong coding skills in languages such as C, C++, Perl, Python and Ruby and internet applications such as .NET and PHP to go on an offensive search for security vulnerabilities. Database Management Systems (DBMS), cryptography, networking and social engineering are some of the other skills that come in handy during a bug hunting expedition. White hat hackers are also turning to AI and Machine Learning to infiltrate information and security systems in an attempt to proactively identify the gaps.
Deploying preventive measures to safeguard user and customer information
Once the security gaps are identified across platforms and devices such as the internet, mobile, ATMs and E-wallets, it becomes easier for FIs to plug them to secure their security posture using measures such as multi-layer security, multi-factor authentication and biometrics. Considering the direct correlation between the rise of digitization and the increase in cyber risks, the Reserve Bank of India (RBI) has issued comprehensive guidelines on information security, electronic banking, technology risk management that lay out preventive measures for FIs. By teaming up, IT security professionals and ethical hackers with a good grasp of these guidelines can ensure robust security.
Testing networks for vulnerabilities
One of the best ways to prevent illegal hacking is to test the network for weak links on a regular basis. Ethical hackers help FIs clean and update their systems by discovering new vulnerabilities on an on-going basis. Going a step ahead, ethical hackers also explore the scope of damage that can occur due to the identified vulnerability. Realizing the importance of ethical hacking in ensuring security, the RBI has constituted a team of white hat hackers to conduct security checks on public sector banks by ethically hacking into their systems.
With the number of digital transactions increasing in the aftermath of the recent demonetization, conducting ethical hacking, regular security audits, and implementing a strong exit policy for employees is not enough to address the cybersecurity issue in its totality. Security must be infused into the data culture of the organization through learning and development (L&D) initiatives. A Deloitte survey reveals that engaging the entire organization in cyber security is a must-do for FIs to improve the balance between risk and innovation. To this end, partnering with qualified experts can help organizations train their employees, increasing awareness and ensuring that they diligently follow security protocols.