The security partnership

Together banks and business tackle cyber crime

In the constant battle against cyber crime, collaboration between banks and business customers is paramount, advises ROB McKERRON.

The threat of cyber attacks to business, using online banking services, is significant and growing in sophistication. It is increasingly clear that one of the key measures to fight online fraud is through a firm collaboration between banks and their business customers – a Security Partnership.

The nature and scale of the threat is not in doubt: the UK Government’s 2010 publication A Strong Britain in an Age of Uncertainty: The National Security Strategy rates cyber attack unambiguously as one of the four highest priority risks, placing it in the same category as international terrorism.

The private sector and individual citizens, the document acknowledges, are under sustained attack today and, unless action is taken, this threat could become even worse.

“Cyber space is already woven into the fabric of our society,” says the document. “It is integral to our economy, and our security.In less than15 years, the number of global web users has exploded... from 16 million in 1995 to more than 1.7 billion today.”

Global cyber crime, it estimates, now costs as much as $1 trillion a year. Small wonder that major British companies are becoming more concerned about the potential operational, reputational and financial impacts.

The government’s response has been to introduce a National Cyber Security Programme, in which it is investing £650 million over four years. This is intended to close the gap between the requirements of a modern digital economy and the rapidly growing risks associated with cyber space.

Successful delivery of this programme, it believes, depends on a partnership with the private sector. Precisely the same is true in the banking sector. This is why we believe that a similar security partnership is what is needed to tackle cyber crime: the more we work together in a united front, the more successful our defences will be.

At Lloyds Banking Group, our aim with online security is to achieve a win-win in which neither the bank nor our customers lose any money through cyber crime. The security partnership we seek aims to protect information, prevent fraud and – critically – maintain our strong working relationships with our customers.

We are devoting a lot of effort and resource to this by maintaining and investing in our online security infrastructure, and by continuously monitoring trends in “cyber space” such as phishing* emails and malware**.

However, the risk is potentially too broad for financial institutions to deal with the threat of cyber crime entirely on their own. Customers must also look to take responsibility for adopting a range of security measures.

In this respect, banks have a key role not only in providing robust security solutions but also in informing customers of the best security practices they should implement. At Lloyds Banking Group we consider this an essential function of our role as a trusted advisor to our customers.

We encourage customers to be proactive in implementing preventive security procedures. We put a lot of emphasis on customer education to help promote these best-practice measures and procedures which reinforce customers’ own security environments.

Technological solutions alone only go so far, and therefore we would recommend customers also consider additional measures that go beyond everyday security practices to ensure additional layers of defence. Here are eight key examples:

• Set user permissions that are relevant to role.
• Introduce dual control on business processes to ensure validation of online instructions.
• Establish various layers for authorisation of payment instructions relevant to the transaction value and risk.
• Implement alerting processes to highlight any amendments made to payment information before uploading to banking systems.
• Ensure the immediate removal of access to banking systems for employees who leave the organisation.
• Regularly audit the list of users who have access to banking systems.
• Adopt the practice of always logging-off banking systems.
• Ensure good practice for password management.

Further information is available at www.getsafeonline.org which is a joint initiative between the government and other parties providing computer users and small businesses with free, independent, user-friendly advice about how to use the internet confidently, safely and securely. Here are some examples they recommend, which we fully support:

Protect your PC

• Use a firewall to keep out some viruses and hackers.
• Keep your applications and operating systems up to date.
• Install anti-virus software to prevent infections.
• Stop spyware – don’t let strangers get inside your computer.
• Secure wireless networks – without protection, Wi-Fi (wireless) networks are vulnerable. Protect your business
• Control access to critical information – protect information with a need-to-know policy.
• Use secure remote access to protect links between mobile workers and the office.
• Use encryption to provide extra security for important information.

Another key objective when deploying security solutions is to strike an acceptable balance between achieving effective online security and delivering a suitable customer experience.

There is no easy solution. The tightest online security may prevent online fraud, but if customer experience suffers as a result, then customers may simply not use the service. By the same token, if you simplify the customer experience by reducing security measures, then you potentially risk leaving the door open to fraudsters.

The critical challenge therefore is to balance customer usability with customer protection. To maintain an acceptable customer experience, we undertake rigorous testing and research before introducing any new security services. Even so, optimum testing is not always possible when reacting at speed by deploying protection against sudden new threats. That is why constant communication with customers is so vital.

For banks this challenge inevitably increases with the development of new channel environments. As online usage grows, so does the expectation of quick, easy and remotely accessible information. That is what is helping to drive the growth of services such as Facebook, Twitter and LinkedIn.

In this rapidly evolving mobile environment, delivering the right protective solution is just as important as speed to market.

The aim must be to provide a security regime that reflects a mix of essentials – the information being accessed, where it is being accessed from and who is authorised to access it. That inevitably takes time and meticulous planning: changing or upgrading banking systems can be costly and potentially disruptive to customers, so it is important to ensure that any changes are flexible and robust enough for the future.

It is also important to leave no stone unturned in investigating more advanced security solutions. The public key infrastructure (PKI) and 2 Factor Authentication (2FA) we currently use to authenticate personal access, along with a defence in depth approach such as malware detection, continue to be fit for purpose. But we can see that biometrics, for example, offers a route that will have a part to play in future protective regimes.

One of the next areas we are reviewing as part of multiple factor authentication is the inclusion of additional components of personal identification – such as palm scans or iris scans, as well as a password and a token or smart card.

All of this intensifies the need for a security partnership. The important truth is that customers themselves typically won’t demand these measures – they’ll simply expect the banks to provide the solutions and advise them what’s currently needed to maintain a fully secure business environment.

In reality, though, the concept of the security partnership goes even further. As an example, it could also be extended to facilitate customers supporting each other by creating an e-banking business networking community through which those in the same line of business can share and learn further good security practices.

With cyber attacks on the increase, the threats are real; one of the key components for online security protection lies in recognising the shared responsibilities between banks and customers. It is only by working together and adopting a security partnership that the best defence – for both bank and customer – against cyber crime will be achieved.

NOTES: Contains public sector information licensed under the Open Government Licence v1.0.
*Phishing is a fraudulent attempt, usually made through email, to steal your personal information.
**Malware, short for malicious software, is designed to disrupt or deny operation and gather information.

ROB McKERRON is responsible for online banking services within the Wholesale Division for Lloyds Banking Group.

Back to Features contents
Back to Magazine contents