V Murali Krishna Rao , Chief Information Security Officer, Andhra Bank speaks with Arpit Gupta of Elets News Network (ENN) on the concept of enabling mobile/internet banking to initiate the notion of financial inclusion
As a CISO of a renowned bank like Andhra Bank, what are your roles and responsibilities?
In all the industries, for some time, IT was implemented with drastic speed. Later, in every organisation, it was realised that security and IT must move hand in hand not hand by hand. As per the Gopala Krishna Committee recommendations (RBI) CISOs are appointed /designated in banks and other institutions. Major turn in the above process is CISO will report to Risk Management Department headed by Chief Risk Officer, not to the Chief Information Officer i.e. head of IT. CISO will review the security requirements, its assessment, implementation for achieving the set objectives in information security angle. CISO is responsible for giving assurance to top management and stakeholders about the organisation’s security posture and provide feedback up to the board level.
IT today is one of the quintessential aspects taken up and adopted in almost every field of operation, needless to say, banking adopted it to the highest concern. How do you perceive IT in banking in the years to come?
Due to the technology leveraging, the brick and mortar banking is being done away with in some pockets. Technology has provided the customers with convenience banking – any time banking (ATM) and anywhere banking (Internet / mobile banking) across the globe. In the days to come, mobile banking – banking through mobile sets – will occupy the major space in the banking environment – due to the penetration of the mobile phones into the masses and its easy usage. However, it throws challenges of secure banking. Multi-factor authentication – user ID, password, one time password or biometric authentication etc. are used to secure banking and safeguard the customers’interest.
As a matter of principle, banks will never ask the customers to disclose their credentials like account number, card number, user id and passwords etc, over phone or any other means. However, of late, the theft of customer credentials, through phishing or vishing, is observed whereby the funds of the customers are withdrawn by the unscrupulous persons. In this regard, customer education and awareness plays an important role in understanding the technology and associated risks.
How well do you think that Tier II and III cities have adopted IT in banking sector in the recent times?
Is this factor a challenge to the development in the banking sector? The new technological initiatives taken up at Tier II and III cities improved the infrastructure, technology, network facilities etc, enabled banks to adopt IT through core banking solutions with 100 per cent branch computerisation including rural and semi-urban branches. With this all the new electronic banking channels i.e. ATMs, cash deposit machines, internet banking, mobile banking, wallet banking etc are available for Tier II and III Cities also, which enabled electronic banking, penetration into the rural India on a large scale, which again throws challenges for secure banking.
Hence, there is imperative need for customer education and awareness of the technology and its associated risks.
What according to you are the major security and risk management concerns for a banking institution today?
Cyber security and social engineering are two major security and risk management concerns for the banking industry. Industry level and bank level security measures are taken to protect its environment from cyber-attacks. It has been a continuous effort of the Industry to alert and enlighten the customers against social engineering activities like phishing and vishing.
Mobile banking and internet banking has emerged to be the two most used technologies in the banking sector, though they have their own risks at the same time. What measures do you have to counter them to enhance banking security?
In the backdrop of banking security concerns, we have ensured implementation of secured sites, multi-factor authentication– user ID, password, One-Time Password (OTP) through registered mobile, verified by Visa security etc. Banks are contemplating usage of bio-metric authentication also to enhance banking security for the customers.
Cyber Security and social engineering are two major security and risk management concerns for the banking industry
As a bank you can educate your customers, but they have to take certain steps to protect themselves. How well are your online customers protecting themselves from the threats that you see in the marketplace?
It is the primary responsibility of the customers to take precaution not to become prey to the online fraudsters. The customers should not disclose or part with the credentials like Card No, CVV, Expiry Date, User id / Password, OTP etc. We have been implementing multi-factor authentication and sending One Time Password to the registered mobile. We have been continuously creating customer awareness by way of SMS alerts, email and brochure etc.
Please share with us any security enhancement plans and measures in pipeline from your institution.
Bank has already initiated steps for protecting its data and updating the security posture in tune with the technological enhancements and industry’s best practices.