Published by Jessica Weisman-Pitts
Posted on February 15, 2022
6 min readLast updated: February 9, 2026
Add as preferred source on Google
By Edwin Bartlett, CEO at Hicomply
The last twenty years have seen a major digital transformation in the banking industry. We’ve moved from solely in-person, high-street banking in the early 2000s to the adoption of almost exclusive digital and online banking. It could be argued that information security was invented by the banking industry: the concepts of bank accounts, unique codes and secure access, even if just through a signature verification, were all about controlling access to people’s information.
However, while the industry’s safeguards were initially ahead of the market, the forces trying to break those safeguards often seem to be ahead of the curve. Banks are having to move a lot faster than they used to – and they also must do strict reporting, in line with guidelines like the Prudential Regulation Authority’s ‘International banks active in the UK: 2022 priorities’ letter to CEOs [1], because of the threat of cyberattacks.
Security Magazine reported that 76% of customers will defect from using a business if their information is compromised [2]. It’s a startlingly high number, and it’s reflected in the way banks have evolved to think about information security as a way of preventing financial loss. The industry is starting to put risk management plans in place to prevent breaches, protect networks and protect customer data.
Banking has become much more decentralised in recent years. It’s no longer a landscape solely made up of high street banks: the rise of fintech, challenger banks and other forms of payment are now available. While this offers a variety of options for the consumer, it also presents more of an opportunity for fraud and customer data leaks because there are so many more touchpoints.
Additionally, information is increasingly being exposed by third party breaches e.g. social media accounts where customers use the same email address or password. This naturally exposes banks to an additional level of threat – and addition, many consumers are not proficient at managing security on mobile devices, leading to increased vulnerabilities.
The remote element must also be considered: often, challenger banks have many staff working from home (and even four-day work weeks, which is transformative to the sector). We’re no longer talking about a network of branches. Instead, we’re talking about thousands of people working from home, so there are challenges to consider here, too.
Cryptocurrency
We’re also seeing the rise of different types of currency, such as cryptocurrency. Originally, information security was a concern regarding currency within a country, but it’s now key to consider multiple currencies across borders, increasing the opportunity for threat actors to steal currency in its many forms.
Traditionally, the physical risks would have been the most significant concern because of the number of branches and people involved. The flipside to this is that we’re seeing new and different types of risk – such as cyber threats – and organisations now need to focus their efforts on digital security.
There are many technology options to consider when it comes to securing data, but the key approach is an organisation’s security posture and organisational structure. An approach of prevention as well as preparation for any successful threats is key. The approach to security should start with the people in the business – and the first step is to educate and inform employees through policies and procedures, as well as training and engagement.
For example, ransomware is the biggest information security risk to most businesses today. Ransomware is typically activated when someone clicks a link in a phishing email or downloads an email attachment. Once activated, it can take over a computer or even an entire network. It can also be delivered through security holes and infect a system without any action on the part of a user. Older, unsupported versions of Microsoft Windows are particularly vulnerable to ransomware and malware attacks.
Organisations should train staff on how to identify a scam email and the signs to look out for, and how to verify the identity of an email sender against the email address used. It’s also important to train staff to consider – before clicking – whether a link or attachment looks legitimate, as attachments can be infected with malware.
The next step is to put in place continuous monitoring of systems and regular auditing. Organisations should undertake regular information security audits of their systems, rules, policies, and risk assessments annually. Frameworks such as ISO 27001 and SOC 2 (US focused) can be put in place to support this, as they require the organisation to build and consistently maintain an information security management system (ISMS).
An ISMS includes several core areas: an asset register, risk assessment and treatment, and policies, procedures and processes that the organisation needs to operate to. Businesses need to identify the assets that could be at risk, for example information assets, physical property, customer data and physical assets.
To manage this, it’s important to undertake consistent risk assessments. As part of that risk assessment, mitigating tasks and treatments can then be identified. As mentioned previously, working towards ISO 27001 helps here, as the ISO standard provides the framework to work to.
The steps toward building a functional ISMS in the scope of ISO 27001 look like the below:
New threats to cyber security continue to arise; organisational preparedness is a crucial factor in mitigating the threats and reducing the impact of those threats on a business. Staff training and awareness is hugely important, as so many breaches happen due to human error.
Equally, implementing an ISMS and working to achieve standards such as ISO 27001 and/or SOC 2, depending on business geography, can help businesses limit the impact of cyber threats and build consumer trust by showing they have achieved internationally recognised standards for information security..
[1] https://hicomply.com/how-iso-27001-can-help-banks-establish-operational-resilience/
Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks, which aim to access, change, or destroy sensitive information.
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings, including financial, operational, and reputational risks.
Digital banking refers to the digitization of all traditional banking activities, allowing customers to conduct financial transactions online or through mobile apps.
An ISMS is a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability through risk management and compliance.
Explore more articles in the Banking category
