Creating awareness is the need of the hour:
The most important factor involved in cyber security is defence and offence. Whatever may be the security precautions an organization might have taken, these may not be sufficient to take care of the cyber incidents since cyber hackers are always one step ahead. If the cooperative banks are not vigilant, it is only a question of time before they face a cyber attack on their systems.
Any strong first line of cyber security requires a significant effort on the part of the management and the board. The board of directors has the full responsibility for adopting and implementing appropriate corporate policies as envisaged by the regulatory authorities. This should cover the management responsibilities and the control practices for all the areas of information processing activities to take care of the cyber security.
It is noticed in banks that most of the time instructions given by the regulatory authorities are routinely passed on to the technology department without any proper study. It is also observed that even though some of the banks have these security policies, the same are not implemented in true spirit and are kept only for audit purpose. It is necessary for the management to ensure that the security policies are customized and fine-tuned to suit the individual needs of the bank and it is implementable one.
TRAINING STAFF MEMBERS
A bank may invest in necessary tools to strengthen computer systems but may not be having trained manpower to take care of the same. Security awareness training is required, not only for the staff working in the technology department, but to all employees, contractors or staff deputed by different outsourced vendors. They should be trained in the bank’s information systems security policies, procedures, legal obligations specific to their area of operation and their responsibilities. This ensures all the staff members and the contractor’s staff who are the first line of defense, are aware of the details and assist the technology team in safeguarding the assets of the bank.
All personnel including the management and the board should also be trained so that they are well aware and can guide the staff members in times of need. It is to be noted that training is not onetime, but it should be done on a continuous basis at certain intervals or whenever any technology related changes happen.
The management should also train the staff members on incidence reporting system and processes and should make them comfortable, so that they are willing to report even an insignificant incident noticed in the system. Management support is the most important, since it is noticed that staff members, even if they notice any incident, are not willing to report due to lack of support. Internal auditors should also be trained so that they are aware of the processes while doing the auditing and can help the bank to take necessary steps to strengthen the system.
AUDITING & MONITORING
Even though the audit is the most important function in a bank to safeguard its assets, it is observed that this area is given least importance in most of the banks. The audit is done on a routine manner and the reports are mainly focused on banking transactions and not on the technology area. The main reasons are that the banks do not have auditors, who are trained in auditing IT area.
The most important functions of the auditor in a computerized environment is tracking all sensitive transactions as well as master, parameter and static data in an application; adequate audit trails should be generated and made available at regular intervals and procedures should be implemented for instantaneous review of the said audit trails by the auditors.
It is observed that most of the internal auditors are not equipped with knowledge to suggest the defensive as well as offensive mechanisms. Due to this, the banks depend on external auditors who may or may not be having enough working experience. Often IS policies drafted are not suitable and need fine-tuning to suit the cooperative banks.
Finally, nobody can predict when the cyberattack will happen. However, the banks can handle such exigencies better if their staff members are equipped with necessary knowledge to report the incidents immediately so that the damage is minimized.