An Interview with Scott Wall, Chief Information Officer, BankVic
"The legislation of open banking is a huge investment for all banks and is both a major boon for consumers and a potential cybercrime bonanza. Phishing detection or prevention and identity verification will become hugely important, but the willingness of consumers to believe offers that are too good to be true, click on links, and not be sufficiently aware of potential scams means that pure technology solutions can only go so far."
FST Media: What do you rate as the most pressing cybersecurity threat facing financial services today?
Wall: The increasing sophistication and professionalism of cybercriminals, when combined with artificial intelligence (AI)/machine learning (ML) technologies, I feel poses the biggest threat. No longer are phishing emails written in broken English and obviously fake; now they look and read like the real thing and can easily fool all but the most observant.
Another concern is the rising sophistication of social engineering and the strategies employed by criminals to plan and execute well-thought-out omnichannel attacks to breach our defences. Now throw AI and ML technologies into the mix and we face attacks that have better information (harvested from social media, malware, and behavioural analysis) and can run 24/7 across multiple channels, as they are run by intelligent bots.
FST Media: How will the 'threatscape' evolve in the latter half of 2019?
Wall: I believe the biggest evolving threat is the loss of identity security. More and more, people’s personal identifying data is being made public, which makes identity theft easier for criminals. Combining this with the data that people freely publish on social media increasingly makes sophisticated social engineering easier and our job harder, even for simply verifying someone’s identity.
FST Media: Fingerprint and facial authentication scanners, once only in the realm of Sci-Fi, have become mainstays of customer banking apps today. How do you predict biometric technologies will evolve to meet the challenges of tomorrow's banking practices?
Wall: Biometrics is the ‘holy grail’. If every interaction is verified by a finger-face-voice print, then we will see a dramatic reduction in fraud. To see how effective this could be, consider the rise in CNP (card not present) fraud facing the industry and then look at what Apple Pay is doing using the iPhone finger-face print reader to confirm identity when making online purchases – combine this with tokenisation of cards and we could see the complete abolition of CNP fraud. What if your ATM/POS machine could verify your face against the image held by your card issuer? What if your card had an embedded fingerprint reader?
However, the challenge in realising this is threefold: getting consumers to use biometrics; collecting/validating the biometric data (i.e. ensuring that biometric associated with an identity is correct); and, most significantly, integrating these technologies with existing infrastructure and the rollout of new devices.
FST Media: There is considerable hype around open banking and APIs to radically transform the industry, particularly for the benefit of customers; yet, the security implications of their implementation are often underappreciated. What impact do you foresee these technologies having on FSIs’ cybersecurity agenda?
Wall: The legislation of open banking is a huge investment for all banks and is both a major boon for consumers and a potential cybercrime bonanza. Phishing detection or prevention and identity verification will become hugely important, but the willingness of consumers to believe offers that are too good to be true, click on links, and not be sufficiently aware of potential scams means that pure technology solutions can only go so far. Education of our customers, industry collaboration, strong operating processes, and governance are all required to mitigate the risks posed by open banking and to ensure consumers do not lose faith and can take advantage of the benefits.
APIs are so important in integrating and developing the products and services that customers want but, equally, they open a new attack vector for cybercriminals. If careful thought is not given to their development, management, and monitoring, we just offer a high-speed route for brute force attacks on our infrastructure and still have the same identity verification issues.
FST Media: Friend or foe, fintechs appear here to stay. How can partnering with fintechs benefit traditional banks and how effective are these alliances in advancing innovation in cybersecurity?
Wall: Fintechs are more agile and less constrained by legacy issues than most banks and can take a ‘fail fast’ approach – trying many solutions until they find one that works well and gains market acceptance.
Given many cybersecurity solutions will require access to real-world data, and all will require customers, fintech companies will need to partner with traditional banks to turn their good ideas into products and successful businesses.
Equally, banks can take advantage of these new products by forming partnerships to develop them and provide the customer numbers to make such products commercially viable and sustainable.
FST Media: As a digital leader, how would you like to see BankVic’s technology infrastructure evolve to meet the challenges of a fast-changing cybersecurity landscape?
Wall: BankVic is very focused on information management as a key component of building infrastructure that can mitigate the future threats of cybercrime. If we have strong data risk management, ownership, and custodianship of our data, then we have a baseline defence that is not dependent on understanding or defending against the latest malware, attack vector, zero-day exploit, or social engineering attack.
We will combine this with the education of our employees and customers, deployment of best practice information security technology tools and processes, and usage of AI/ML to detect anomalous activities and events.
FST Media: A coordinated plan of action is critical to any defensive effort. How important is cross-organisational strategising, executed in-house, in mitigating cybersecurity risks?
Wall: In-house strategising is important to raise awareness across the organisation; this is not something that IT alone must solve, but a problem that must be owned and addressed by all departments. The attack vectors, training, and responses vary across business units and therefore we need to have tailored solutions for defence which require those who understand those departments to be thinking about cybersecurity.
FST Media: Moving forward, what emerging technology would you like to see play a more prominent role in the industry?
Wall: AI/ML offers the best opportunity to get ahead of cybercriminals. But as with all technology, it also offers the criminals a huge opportunity. Combining AI/ML with data sharing and collaboration across institutions will give us the best chance of detecting and preventing existing and emerging threats.
FST Media: You'll soon be making a highly anticipated appearance at the 2019 Future of Security conference in April. Why are such events important for the financial services industry?
Wall: Security and cybersecurity are industry-impacting issues and it is to the benefit of everyone – both working within the industry and our customers – that we share information and best practices to improve our ability to reduce what is fast becoming the biggest threat to our business. To this end, the FST Future of Security conference is an important opportunity to see what products are in the market and to listen to peers’ experiences.
FST Media: And finally, on a personal note, what do you do to ensure a healthy work/life balance?
Wall: I try to ensure that when I am not in the office I do not work or spend time worrying about work issues. I would rather get to work early or work late and not take the work home with me. The ability to segregate my work from my personal life ensures that I have time to unwind and come back to work refreshed; it also means my family gets my undivided attention when I am at home.
Scott Wall will be a featured panellist at the 2019 Future of Security event in Melbourne on 4 April. Places are limited. Register now to secure your spot.
-- With contributions from Patrick Buncsi