The use of digital technology makes a bank more sophisticated. However, It is like riding a tiger that can make us great, but if we do not take good care of it, the tiger can turn and pounce on us.
By
RICO USTHAVIA FRANS
·5 minutes read
SALOMO TOBING
Rico Usthavia Frans
Advancement in technology and digitalization of people’s lifestyles have forced all businesses to use digital technology, for example in the world of finance, especially banking. Banking digitalization is a necessity. Today's customers consider digital channels a must.
Banks that cannot open accounts online are considered out of date. Banks whose mobile banking is slow, difficult to use and unreliable are abandoned by customers. Less and less people come to the bank’s branch, dwindling to just once per year. ATMs are also increasingly rarely used. All non-cash services can be easily done through mobile banking. Cash withdrawal transactions are also declining due to the increase in the number of traders that accept cards and QRIS as a payment method.
On the other hand, banking as a depository institution is an attractive target for criminals. They are always lurking and waiting for the bank to let their guard down. They rob banks no longer using firearms, but information technology (IT). For such a purpose, they spend a lot of money to recruit and educate people who are good at IT.
They can even pay insiders and it is quite possible they might also place several insiders in the bank they are targeting. In essence, as criminals, they try to be one or two steps ahead of their potential victims.
In order to effectively anticipate the risk of digital attacks, banks must take several important precautionary steps. First, they must educate employees about IT security risks (IT security awareness). The IT attack mitigation is not only the responsibility of the IT unit, but the responsibility of all employees. All employees must be aware of the latent dangers of IT attacks. They must be taught to categorize what information is "public information" that can be known by everyone and which "secret information” should be known by a few entitled people.
All important processes must have logs or records so that if a problem occurs, the bank can easily carry out a forensic audit.
Some information, such as a PIN or password, is “highly confidential information” that absolutely no one else should know. If there are employees who share passwords to carry out a task, they can be immediately expelled. Many incidents of bank robberies start from the ignorance and indifference of employees. There are banks that suffer losses of tens of billions just because one of their employees opens an e-mail with a certain link so criminals can get into the bank's system.
Second, the bank must implement a strong "process control". Every manual process must be carried out at least with double control. It means there should be a person who makes the transaction and another person who authorizes it. All important processes must have logs or records so that if a problem occurs, the bank can easily carry out a forensic audit.
For the next stronghold, the bank must also have an antifraud unit.
Banks must also be willing to invest adequately in IT security systems. All existing servers, networks and computers must be protected with adequate security and monitoring software. All applications must be built and maintained to a certain minimum security standard.
Every time there is a new application or a feature change, it must be retested. As a best practice, banks must also carry out penetration testing, in which banks pay white hackers to find system weaknesses. Banks also need to have an SOC (security operation center) whose job is to monitor, mitigate and deal with every IT attack.
For the next stronghold, the bank must also have an antifraud unit. This unit must monitor all transactions that occur 24/7. Of course they should be equipped with an automatic and adequate fraud detection system.
Personal data
Apart from financial assets, data is a valuable asset and must be protected. Confidential information and personal data of customers need to be properly protected. If a data leak occurs, the bank will be in a difficult position because its credibility can be destroyed. The recent ransomware attack on a large bank is a difficult problem to solve. So, it is much better to prevent than to be attacked.
In addition to the credibility risk, the Personal Data Protection Act provides for significant administrative fines of up to 2 percent of annual revenue.
However, IT attacks are not always easy to prevent. Our opponents are highly resourced IT crooks.
Therefore, the implementation of the Personal Data Protection Law should not be based a punitive approach in the form of large fines, but rather on a compliance approach. This means if the institution has complied with and carried out sufficient mitigation to provide protection, the fine does not need to be that big. Large fines are only applied if there is negligence or intentionality.
Regulators such as the Financial Services Authority and Bank Indonesia (BI) also play a very important role in terms of banking IT security. Regulations issued must lead to better standardization of banking IT security. Regulators need to appoint several qualified certification bodies to carry out periodic certification and audits of IT security.
The use of digital technology makes a bank more sophisticated. However, if the bank is not ready, the use of digital technology has potential risks that cannot be taken lightly. It is like riding a tiger that can make us great, but if we do not take good care of it, the tiger can turn and pounce on us.
RICO USTHAVIA FRANS, member of the Steering Committee of the Indonesian Fintech Society
