As we are witnessing rapid advancements in the field of Information Technology (IT), it is becoming more of a necessity for institutions who particularly engage in the field of financial services to utilize systems which use open networks as characterized by the internet.
Vulnerabilities of a Bank’s Information System
In today’s world cyber-security holds a critical place in every business. However for banking organizations the need for cyber security is almost necessary. Financial institutions are the place where important data are stored which in the wrong hands can be siphoned off to be used for the purpose of indulging in fraud or various other criminal activities. It is absolutely imperative that we identify the vulnerabilities of a bank’s information system so as to provide it with a heightened security system. The vulnerabilities of a bank’s information system are:
- Improper system/network design – Most banks in current times fall victim to an under developed system with faulty network designs. Attackers often try to exploit these systems to inflict massive damages on financial institutions.
- Programming errors, weak or inadequate physical/logical access controls – Most computer systems of a financial organization are mired with programming errors which later prove to be fatal. The computer systems of financial institutions are mostly have weak or inadequate access controls which makes it easier for attackers to gain access to the bank’s networking infrastructure.
- Absence of or poorly designed procedural controls – Financial institutions and banks have computer systems which lacks procedural controls and even the one that have procedural controls are victims of poorly designed procedural controls. It is one of the major issues that plagues the systems of the banks.
- Lack of back up/contingency procedures – It is imperative that computer systems in banks and financial organizations have suitable back up procedures to move valuable data in case of an attack. The computer system of most banks and financial organizations lack the provision for a decent back up or contingency procedure.
- Ineffective employee supervision, and management controls – Even if a suitable cyber-security infrastructure is in place, it is of paramount importance to ensure optimum employee supervision and management controls. Without such measures there is always a risk of succumbing to attacks due to individual errors.
- Lack of awareness among employees etc. – Most employees in the banking sector and financial institutions lack the awareness that is needed to securely run a financial organization. This mostly results in individual mistakes that allow cyber attackers to capitalize on. Banks and financial organizations mostly suffer from the mistakes of employees who exhibit a lack of awareness regarding cyber security.
Threats to a Bank’s Cyber Security
Attacking financial organization prove to be a major source of profit for cyber-criminals as a result of which attacking banks and financial organizations continue to be a very prospective front for cyber criminals. Cyber attackers operate in a wide spectrum where they use financial malwares that attack online banking, to attacks against ATMs and fraudulent interbank transactions. Some of the biggest threats to a bank’s cyber-security are as follows:
- Mobile Banking Risks
- Social Networks and Web 2.0
- Malware, Trojan, Botnets, and DDoS Attacks
- Phishing
- ACH Fraud: Corporate Account Takeover
- Inside Attacks
- First-Party Fraud
- Skimming
- Unencrypted Data
- Third Party Services that aren’t Secure
- Spoofing
- Data Breaches
What is IS or IT Audit and how will it help?
Process of IS and IT Audit – To conduct an IS or IT Audit, the first requires evidence to be collected. Upon collecting the evidence, it is evaluated. This collection and evaluation process is done so as to determine whether assets are being provided with ample security by a computer system. Furthermore, this process also enables to find out if data integrity is being maintained and if the computer system is capable of allowing the organization to achieve its goals in an effective way. One of the most important benefit of this process is that is helps to determine if the use of resources are optimum and efficient. So in short it can be said that IS or IT Audit is “the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently.”
Objective of IS and IT Audit – The main and sole objective of conducting an IT or IS audit is to find out if a bank’s computerized information system (CIS) returns outputs which are not only timely but also accurate, complete and reliable. The evaluation of the CIS is done also to be aware of the fact if it is capable of ensuring confidentiality of data, maintaining integrity of data. IS and IT audits are also responsible for finding out if the reliability and availability of the data. One of the main reasons banks and financial institutions conduct and IS and IT audit is to find out if their data is in compliance with the relevant legal requirements and regulation. One of the major responsibilities of IT auditors is to carry out an evaluation of the internal controls in computer systems and to determine if they are adequate enough to mitigate the risk of loss which is mainly caused due to attacks which renders the system to be unavailable. However, it must be noted that audit objectives change with respect to the nature or the category of audit.