Poor Information Security Rampant Among Indian Banks

Jay Decenella, IT audit expert
May 09, 2011 /

As IT security regulations are driving data privacy and security in India, most banks seem to lag behind their global counterparts in terms of adopting information security measures, according to a joint study.

The State of Data Security and Privacy in the Indian Banking Industry, a survey carried out by accounting firm KPMG and the Data Security Council of India (DSCI), reveals that investments in information security in Indian banks are driven by the Information Technology Amendment Act of 2008 (ITAA 2008) and the Reserve Bank of India’s (RBI).

Kamlesh Bajaj, CEO of DSCI, noted that even if online banking in India makes up only 40% of all transactions, it represents more than 70% of the total transacted volumes.

However, the DSCI-KPMG banking security study finds that majority of Indian banks have not adopted even the basic information security measures.

The findings parallel the result of a study conducted by Deloitte in Kenya in which system improvements adopted by banks in the country were shown to be futile as fraudsters were able to funnel larger amounts in 2010 than they did in the previous year.

On the other hand, while 100% of respondents to KPMG’s survey focus on keeping vigilance over new threats and vulnerabilities as part of their banking security initiatives, only 27% admit they have Payment Card Industry Data Security Standard (PCI DSS) certification, a standard for firms handling¬† cardholder information.

Of the surveyed banks, 77% generate card records as plain text in their point-of-sale terminal merchants and 70% lack encryption in their databases that store customer information.

Security practices like storing and printing of authorization information such as card verification value (CVV), card expiry date, and masking of primary account number (PAN) do not conform with internationally accepted standards, the report said.

Furthermore, the study finds that 75% of the surveyed banks consider external threats as critical factor driving security efforts. These threats include cyber crimes that seek either to funnel financial wealth or steal identity.

In terms of privacy issues emerging in India, the country’s banking industry displays a rather lax drive to push through with the matter. Almost 80% of Indian banks do not have a separate privacy team.

According to the study, Indian banks perceive information security as an IT-centric function, resulting in lack of coordination with fraud management functions, with half of the respondents tackling fraud management with a separate team.

In turn, the separation of the fraud management functions has created a “significant gap” in the banks’ efforts to stem security breaches.

Customer awareness and associated direct or indirect financial loss are also said to be the current drivers of data privacy issues in India.

Majority of the respondents believe that lack of awareness of the end users regarding privacy and card security is their toughest hurdle, in addition to external threats from insecure customer endpoints.

These respondents believe that the immense cyber space is what exposes them to organized threats, instead of the poor technical skills or the issues with implementing security measures.

KPMG and DSCI advise IT professionals to focus on proactive information security mechanisms like threat modeling and innovation instead of complying with dormant international standards.

 

Share your opinion