Connect with us
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Cyber security in banking: Is innovation through improvement the answer?

Cyber security in banking: Is innovation through improvement the answer? 1

By Edwin Bartlett, CEO at Hicomply

The last twenty years have seen a major digital transformation in the banking industry. We’ve moved from solely in-person, high-street banking in the early 2000s to the adoption of almost exclusive digital and online banking. It could be argued that information security was invented by the banking industry: the concepts of bank accounts, unique codes and secure access, even if just through a signature verification, were all about controlling access to people’s information.

However, while the industry’s safeguards were initially ahead of the market, the forces trying to break those safeguards often seem to be ahead of the curve. Banks are having to move a lot faster than they used to – and they also must do strict reporting, in line with guidelines like the Prudential Regulation Authority’s ‘International banks active in the UK: 2022 priorities’ letter to CEOs [1], because of the threat of cyberattacks. 

Increasing cyber threats and the evolving landscape

Security Magazine reported that 76% of customers will defect from using a business if their information is compromised [2]. It’s a startlingly high number, and it’s reflected in the way banks have evolved to think about information security as a way of preventing financial loss. The industry is starting to put risk management plans in place to prevent breaches, protect networks and protect customer data. 


Banking has become much more decentralised in recent years. It’s no longer a landscape solely made up of high street banks: the rise of fintech, challenger banks and other forms of payment are now available. While this offers a variety of options for the consumer, it also presents more of an opportunity for fraud and customer data leaks because there are so many more touchpoints. 

Third parties

Additionally, information is increasingly being exposed by third party breaches e.g. social media accounts where customers use the same email address or password. This naturally exposes banks to an additional level of threat – and addition, many consumers are not proficient at managing security on mobile devices, leading to increased vulnerabilities.

Remote working

The remote element must also be considered: often, challenger banks have many staff working from home (and even four-day work weeks, which is transformative to the sector). We’re no longer talking about a network of branches. Instead, we’re talking about thousands of people working from home, so there are challenges to consider here, too. 


We’re also seeing the rise of different types of currency, such as cryptocurrency. Originally, information security was a concern regarding currency within a country, but it’s now key to consider multiple currencies across borders, increasing the opportunity for threat actors to steal currency in its many forms.

What can the banking sector do to better secure its data?

Traditionally, the physical risks would have been the most significant concern because of the number of branches and people involved. The flipside to this is that we’re seeing new and different types of risk – such as cyber threats – and organisations now need to focus their efforts on digital security. 

There are many technology options to consider when it comes to securing data, but the key approach is an organisation’s security posture and organisational structure. An approach of prevention as well as preparation for any successful threats is key. The approach to security should start with the people in the business – and the first step is to educate and inform employees through policies and procedures, as well as training and engagement. 

For example, ransomware is the biggest information security risk to most businesses today. Ransomware is typically activated when someone clicks a link in a phishing email or downloads an email attachment. Once activated, it can take over a computer or even an entire network. It can also be delivered through security holes and infect a system without any action on the part of a user. Older, unsupported versions of Microsoft Windows are particularly vulnerable to ransomware and malware attacks. 

Organisations should train staff on how to identify a scam email and the signs to look out for, and how to verify the identity of an email sender against the email address used. It’s also important to train staff to consider – before clicking – whether a link or attachment looks legitimate, as attachments can be infected with malware.

The next step is to put in place continuous monitoring of systems and regular auditing. Organisations should undertake regular information security audits of their systems, rules, policies, and risk assessments annually. Frameworks such as ISO 27001 and SOC 2 (US focused) can be put in place to support this, as they require the organisation to build and consistently maintain an information security management system (ISMS). 

Implementing information security management

An ISMS includes several core areas: an asset register, risk assessment and treatment, and policies, procedures and processes that the organisation needs to operate to. Businesses need to identify the assets that could be at risk, for example information assets, physical property, customer data and physical assets. 

To manage this, it’s important to undertake consistent risk assessments. As part of that risk assessment, mitigating tasks and treatments can then be identified. As mentioned previously, working towards ISO 27001 helps here, as the ISO standard provides the framework to work to. 

The steps toward building a functional ISMS in the scope of ISO 27001 look like the below:

  • ISMS scoping – Defining the scope of an ISMS ensures your ISMS suits the business. This will define information the organisation intends to protect, including personal information and data.
  • Asset register – Creating an asset register defines the physical and informational assets the ISMS will protect, such as information, hardware, software and physical assets.
  • Risk assessment and task management – this step enables an organisation to identify risks to its assets and identify treatments to mitigate these risks, including assigning relevant tasks to specific members of staff or the entire organisation.
  • Policy and procedure creation – to ensure the risks are mitigated and the assets are fully protected, the business should create the policies and procedures required for ISO 27001 certification.

Increasing cyber security in banking

New threats to cyber security continue to arise; organisational preparedness is a crucial factor in mitigating the threats and reducing the impact of those threats on a business. Staff training and awareness is hugely important, as so many breaches happen due to human error. 

Equally, implementing an ISMS and working to achieve standards such as ISO 27001 and/or SOC 2, depending on business geography, can help businesses limit the impact of cyber threats and build consumer trust by showing they have achieved internationally recognised standards for information security..



Global Banking and Finance Review Awards Nominations 2022
2022 Awards now open. Click Here to Nominate


Newsletters with Secrets & Analysis. Subscribe Now