Financial Sector and Intelligence-Driven Cybersecurity Amidst Digital Revolution in SEA
By Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky
Among the obvious effects of this pandemic is the rapid rise of online payment services and digital banking across Southeast Asia (SEA). Due to various social distancing restrictions, people from across the region now opt to avoid the brick-and-mortar bank branches deemed as a public space where coronavirus may flourish, in turn kicking off the increased use of the physically safer option — e-wallets and mobile payment applications.
It is, however, far beyond surprising. As early as late 2019, before COVID19’s massive effect across SEA, I’ve read an article which revealed that online financial transactions in the region will be a $1 trillion business by 2025 and the digital wallet segment is set to jump fivefold at $114 billion during the same year.
I believe these two key sectors will go far beyond these predicted numbers as we try to minimize human contact for the sake of our physical health. In fact, a latest study noted that 40% of consumers in the region admitted to using e-wallets more than ever, Malaysia is leading the way when it comes to this area. On the other hand, cash is slowly being dethroned as king as lesser people use banknotes to purchase or trade goods and services.
Southeast Asia: fertile land for online payments and e-wallets
What makes the region a fertile land for digital banking and online payment systems is the fact that it houses countries with young population — millennials and Gen Z’s who are not used to physically visiting financial buildings, queuing for a long time to fill up forms with pen and paper, like how the generations before them have done.
Another important factor is that there is still a significant percent of individuals who are unbanked or underbanked, which means those without any bank account or credit statements to begin with. This is particularly true in still emerging countries like Indonesia, Malaysia, Thailand, the Philippines, and Vietnam.
Going back home, here in Singapore, the public and the private sector are also doing an active campaign to improve the online financial literacy of the country’s older population. Several groups are hosting a series of training to drive the 54 and above age group in embracing payment apps and e-wallets. Basing on the recent survey I’ve come across with, the efforts are bearing fruit as the older Singaporeans are now agreeing to use these remote tools and apps to do their monetary transactions.
Financial sector’s digital transformation and growth pains
At the center of this digital revolution is trust. Customers are using e-wallets, mobile banking, and web applications driven by necessity. Now more than ever, they need to trust financial institutions to secure their hard-earned and definitely much-needed money.
Digital transformation, of any sector, always present new challenges, especially for banks and for financial services. To put it simply, revolutionizing banks’ way of doing transactions means overhauling their legacy systems including people, process, and technology.
Humans remain the weakest link. Customers, especially those which are not digitally native, lack the proper awareness about the simplest risks like phishing and spam. Internal employees require new training and third-party services should also be assessed comprehensively.
Processes have to be adapted to the digital world. Data required a sophisticated level of encryption, access and data management should be reviewed and given intelligently, additional security also required additional security budget.
When it comes to security, endpoint should be the foundation and banks should have known this by now. Financial services, as they transform and carry more data behind their back, should be looking at adaptive approach in security which should be proactive rather than reactive – ready before an attack happens.
Banks and e-wallet providers can pilot their way to the future, intelligently
The future may be foggy as different technologies continue to be developed, AI, 5G, Internet of Things, cryptocurrency, name it. But the past offers concrete lessons the financial sector could learn a lot from.
The unfortunate answer to the questions why banks and e-payment service providers should take cybersecurity seriously is the $81M Bangladesh Bank Heist which rocked the world in 2016. This incident which started with a spear-phishing email clicked by an unsuspected employee ended up costing a lot of professional, reputational, and financial losses.
Based on our telemetry, financial phishing is still being used rampantly with our solutions blocking more than 40 million financial-related fraudulent emails just from January to May of this year.
The cybercriminal group responsible for this incident, based on pieces of evidence gathered by our researchers as well as other investigators, is the infamous Lazarus group. It is the same cybercrime group responsible for the Sony Pictures attack in 2014 and even the Wannacry ransomware attack in 2017.
Our very own Research and Development Team at Kaspersky which we call GreAT (Global Research and Analysis Team) has been monitoring Lazarus group closely for years. Through this intelligence, we can detect the possible tactics, techniques, and procedures (TTPs) they may use suppose they try to get into an enterprise’s or an organization’s system. We can block them, analyze, and alert the team on which TTPs to look out for based on the previous behavior of this actor. This is how critical threat intelligence is. It can supply enterprises with the essential data needed for you to combat future cyberattacks against your organization.
At Kaspersky, we deliver threat intelligence in different forms but with one aim — to give enterprises and organizations a 360-degree view of the current threat landscape. For instance, our Threat Data Feeds provides actionable data, saving your IT workforce’s time spent dealing with false flags. We also have Financial Threat Intelligence Reporting which is specifically made for the financial sector, focusing on the threats and tools cybercriminals are using or selling to target banks, payment processing companies, ATMs and POS systems.
Threat intelligence, however, is just one part of a proactive approach to cybersecurity. Again, it’s people, process, and technology. Proper and effective training for all employees should be done regularly. Awareness matters as the biggest cyberattacks usually start with a simple human error.
Given the evolving nature of cyber threats that are expected to become more sophisticated, it is also important that financial institutions have the necessary tools that can help track threats that can evade regular endpoint solutions, even before they hit you. For example, solutions such as Kaspersky Anti-Targeted Attack can help you pre-empt what is out there and how it can affect you before such an attack commences.
We are at the middle of a digital revolution and the use of online payment gateways and e-wallets are certainly here to stay and even increase. While it is a huge responsibility for banks and financial service providers to secure their virtual systems, I am certain they can pilot their way to the future as long as they build their cyber defenses intelligently.