Cyber crooks lurk in dark as bank staff work from home

MUMBAI: Indian banks and financial services companies are facing unprecedented challenges to maintain requisite cybersecurity protocols in line with regulatory expectations as employees continued their second week of working from home to protect themselves from the Covid-19 outbreak, leaving these companies more vulnerable to external attacks and breaches.
Cybersecurity experts warn that the ongoing situation has made cybercriminals more active as they are increasingly targeting both the bank employees with malware attacks, and the unwitting customers using digital channels with scam messages, to defraud them and gain remote access to secure networks.

“While most banks have business continuity plans in place, such protocols have never been tested at this scale in India or globally,” said Tarun Bhatia, managing director, Kroll India – a cybersecurity firm. “The proportion of people working remotely far exceeds anything envisaged while developing these protocols.”

These protocols may include banks employees using only registered devices such as laptops and tablets through secure private networks or VPNs as directed by the banks. However, the full-scale implementation of these directives especially among the non-tech savvy employees may represent a challenge for the financial services sector, experts said.

Malware attacks disguised as “sensationalized Covid-19 news or charity pleas” are also on the rise, experts told ET, with criminals targeting both employees and bank customers.



Fraudsters are circulating malware links to fake coronavirus applications like Spymax, Corona live 1.1 among others to steal confidential data from customer devices, Ministry of Home Affairs warned in a tweet on Tuesday. "Sometimes cybercriminals are also taking advantage of rising coronavirus concern for collecting charity," MHA said. "Be aware and check the credentials of charity fund before donating money."

Challenges are also emanating on how some critical and sensitive data are being treated by employees across the board, according to experts at the interface between technology and compliance.

“One important aspect is data backup. From what I know - many of the banks do not provide laptops to entry level employees. So they may use their own systems or laptops at home and in such cases some of the documents are saved locally on these systems such as a PDF file or word document, so that is also one hurdle from the legal and compliance perspective”, said Krupesh Bhat, Founder and CEO of Bengaluru-based LegalDesk.com.

Other provision that banks would seek to improve would be security related to the privilege of access given to employees in work-from-home setups. Security of access to banks' internal networks would have to be updated at various junctures, according to cyber security experts, and just regular password protection may no longer be good enough to prevent data theft.

"Providing secure remote access also requires regular, proactive auditing of access privileges, which are likely to change substantially from day-to-day or week-to-week in the near future... These requirements make conventional identity management based on user IDs and passwords fairly impractical in this context, as they do not cater to constantly changing credentials and access rights,” said Rohan Vaidya, Director of Sales, CyberArk India said.

"Limiting user access to only the information and tools needed to perform their immediate role, an attacker’s route to critical data and assets can be contained," he said.

With the work from home directive placed on an indefinite basis by the government, these problems would need quick fixes even as most leading banks and regulatory authorities have established business continuity plans and protocols in place.

“We allow our employees to work only through VPNs and encrypted laptops where MAC addresses are registered,” said a private sector banker requesting anonymity. “For example, the private network can accommodate 50 devices which are enough at a particular time to run essential services.”

Some banks are also making use of cloud-based platforms and end point technology solutions partnering both with IT companies and nimble fintech partners that provide remote access services and virtual workplaces bundled with video-conferencing services.

“The challenge is massive for the banking system. However, as the bigger banks develop these protocols along with their respective vendors, it establishes a precedent for hundreds of smaller players to follow at scale,” said another stakeholder, not wishing to be named.