BFSI Case Study

Intro:

Since the turn of the century, banks have rapidly adopted newer technologies and digital channels keeping in mind their objectives for increased revenues, footprints and customer preference. Our client, one of the biggest companies in the BFSI sector in Asia, knows better than anyone the requisition for advanced technologies to provide customers with the latest features and technologies to enhance their banking experience.

Challenges

The current trend of advanced technologies, growth of digital payments platforms, and the global push towards a cashless economy had encouraged our client to integrate newer and more advanced technologies into their platforms. This has brought forward greater cyber challenges and newer cyber threats.

• Unlike the other sectors, the BFSI sector is targeted more exceedingly by APT Groups (Advanced Persistent Threat Groups) and other state-sponsored attackers for the nature of information possessed like financial records, social security numbers, passport numbers, and other valuable PII data. Our client is more than familiar with such adversaries causing havoc to their many platforms and networks causing disruption to their operations.
• The client identified one of the more prevalent issues they face – transaction fraud. It was identified that this was mainly due to the many third-party integrations implemented to provide a better experience to their customers. They noticed that these integrations were poorly implemented into the platforms. This was due to the short amount of time is given to developers to fully implement the service from concept to rollout.
• Poor implementations and the lack of clearly set guidelines for information sharing between the client and third-party services have seen the risk of information leakage rise astronomically along with authorization issues which are being actively leveraged by external parties for malicious purposes.

The client had seen the rise of compliance regulations due to the many breaches seen recently in the industry. All these mandatory regulatory obligations require in-depth checks that sometimes could lead to disruptions of work and sometimes even a complete halt of operations. There was also the issue of legacy platforms that are still being used which are not built with current regulations in mind, thus making it worse for the client to pass the checks.

To keep up with current trends, the client has seen the need to continually invest in R&D of latest technologies. However, the cyber threat landscape is evolving at an even greater pace than anticipated. That of which has led to being hit with next-generation ransomware, worms, and other attacks which lead to major financial losses.

Solutions

Understanding all the challenges specific to the client has helped us understand their unique needs to properly protect their assets and avoid data breaches where sensitive information and valuable PII data of their customers are leaked to the world.

Keeping all that in mind, the client had turned to WeSecureApp for solutions. To tackle all the challenges, we at WeSecureApp did a deep-dive analysis to create a plan which keeps all the business and technical needs of the client in mind. We understood that they would need a sophisticated and elegant cyber risk management strategy which they could apply and perfect while not overwhelming their capable but shorthanded IT staff.

Our team devised a plan to tackle the problem from the source, which we identified was in the development life cycle of the applications. Our team worked along with the client’s development team early in the development phase of their new applications. We dissected the application and educated the developers about security practices that had to be enforced during development to protect applications. Our sophisticated automation toolkit was deployed in-house by the client that performed dependency check, secure code review, and application VAPT that helped them roll out applications that were secure and airtight in a relatively short period of time from initiation to production.

While ensuring that applications security was a priority, they also had to prepare for situations where APT Groups (Advanced Persistent Threat Groups), who have no restrictions to time or resources, could plan an approach with a singular goal of comprising their infrastructure. So to prepare for such advanced threats we had to devise an offensive approach having the same goals of APT Groups and find any and all avenues of approach for compromise to achieve those goals. The WeSecureApp team planned to simulate Red Team Engagement on the client’s infrastructure every quarter so that they could adapt and evolve their security practices to better handle the evolving cyber threat ecosystem.

Also, the client decided to keep with the current trend in mind by moving their data to cloud-based services from the previous physical storages. This provided them with the flexibility to run their own operations, saving them time, space, hassle and lots of money. There are many such companies in the market that provide such elegant solutions like AWS, Oracle Cloud, Dropbox, and Kamatera. Even with such elegant solutions, there is always the issue of security. The issues range from data breaches, insider threat, Malware, abuse of cloud services, Denial of Service (DDoS) attacks and many more. Even though most of these services advertise security as a guarantee, there are no guarantees when it comes to cybersecurity. So when our client decided to migrate to cloud services, we did a comprehensive review where we tested all scenarios of abuse so that they aren’t vulnerable to any such threats mentioned.

With all the solutions provided by the WeSecureApp team, the client was protected from cyber threats and had primary mandate reached without compromising on technological advancements in their applications.

Now it’s your turn to schedule a demo with WeSecureApp – Talk to Our Delivery Head