The pandemic accelerated digitalisation to levels never before seen, forcing the financial sector to evolve quickly or risk being left behind. In addition to pivoting to a remote workforce, financial sector also embraced digital banking and open application programming interfaces (API) in a race to compete with upstart fintechs.
TM One, the enterprise and government sector arm of Telekom Malaysia Berhad (TM), was on hand to help its clients in the financial sector using their Zero Trust Network Access (ZTNA) concept – which TM One calls Secure Access Service Edge, (SASE) or pronounced “sassy”, to quickly secure their clients’ business environments while still achieving optimal speed-to-market for their digital banking products.
When the pandemic hit, many major financial institutions had to quickly pivot to enable their people to work remotely, securely. TM One responded with its SASE offerings for two main components: Internet Access and Organisation Assets.
Ts. (Technologist) Dr. Saiyid Syahir Al-Edrus, General Manager of Cybersecurity Services at TM One and his team are overseeing TM One’s efforts in real-time.
Saiyid explains,
“Firstly, employees need secure internet access. Typically, when users browse the internet they are exposed to threat vectors. A cybersecurity solution protects employees by connecting all user traffic via a micro tunnel that goes into the SASE enforcement node or cloud proxy. Secondly, we secured employee access while using organisation assets such as SAP, Salesforce, and emails via secure remote access.
“Our cybersecurity solutions deployment is often quicker than other providers, because TM One does not need to deploy devices. All we need to do is push an agent into the customers’ laptops. The agent forwards traffic to the closest edge services, connecting users to the internet, a SaaS application, or an internal application through the appropriate zero trust service.
“This agent is also intelligent enough to determine when a user wants to access any cloud application for instance. So it will route users automatically based on that HTTP request. All IT activities are secured via a secure tunnel, which is encrypted and encapsulated,”
he said.
Balancing digital banking growth and security concerns
Financial institutions are now launching a myriad of mobile apps dedicated to stock broking, wealth management, insurance services and other financial services to capture new markets and revenue. Their security practices, need to evolve quickly enough with these new digital offerings. Observed gap is mainly due to the lack of security planning at the development stage, said Saiyid. Too often, security comes as an afterthought, or is the last piece to the product puzzle pre-launch.
TM One is on a mission to educate more clients on the need to involve security right from the beginning of the product development process with DevSecOps.
“DevSecOps oversees security measures and how clients should secure all their applications or any new digital development. From the start of the app development process, DevSecOps will look at multiple security perspectives: What sort of app are we launching? Will it be hosted in the cloud or on premise? And, once released to market, how should the app be secured from being tampered?”
“Typically, you download an app from a marketplace, not the developer’s website. However, when an app or a patch is still pending launch from the official source, a malicious attacker can hijack the app by releasing a fraudulent version first. Anyone visiting the app marketplace will mistake the fake app for the real thing.”
“Even after the app has already been released by the official source, it can still be tampered with using malicious code. This code or virus capable of stealing user data or hijack the data that users key in.”
“Typically, a financial services app cannot be published if you do not remediate any non-compliance findings or gaps. This will further delay the release of the app or product. This creates a bit of friction between a business’s market growth aspirations and compliance with certain regulations. If clients only try to secure the environment at the end of the production process, it will just delay their launch further,” Saiyid remarked.
TM One provides Professional Services who consult and advise financial institutions about DevSecOps throughout the product development process. This includes conducting Vulnerability Assessment and Penetration Testing (VAPT) and security code assessments through which the cybersecurity team roots out bugs and corrects the app syntax that can unwittingly enable errors or bugs which are then taken advantage of by hackers.
“We’ve seen instances where the app works fine, but certain non-best practices in the code stream open it up to abuse or breach and increase product susceptibility to hacking and SQL injections,” Saiyid warned.
Besides that, TM One also secures the app infrastructure through cloud-hosted apps, with one of TM One’s solutions including the setting up Web Application Firewalls (WAF) either as a dedicated solution or WAF as a Service.
Cybersecurity needs to be both proactive and reactive
Due to massive monetary and brand value, financial institutions are among the most-targeted groups by Advanced Persistent Threats (APTs), which are groups of hackers that have been backed up by certain organisations that keep on attacking certain entities or certain individuals.
TM One is committed to protecting its clients both before and after APT attacks.
“TM One’s Digital Risk Protection services (DRP) include threat intelligence. We scour the public web, the deep web, and the dark web for certain keywords such as the company or brand name or even the name of key personnel linked to a financial institution. If there is chatter about organising an attack, we can quickly inform the customer to backup and monitor certain assets. If a client already outsources monitoring to TM One, we will do it ourselves. That’s the prevention part.
“However, despite an enterprise’s best efforts, APTs can still breach their environment. That’s why our DRP services also include mitigation or takedown services. If client data has been breached or shared in the internet, we initiate a takedown service by collaborating with our international pool of partners to reach out to the malicious attacker or whoever has shared the sensitive data. We force them to take down the sensitive data from being published, on threat of legal action. That’s the mitigation part,” Saiyid explained.
For financial institutions, brand value lies chiefly in customer trust in their services. Securing those services requires both proactive and reactive cybersecurity measures. At TM One, cybersecurity is a continuous, evolving effort that is both proactive against possible threats and reactive with quick-acting and widespread mitigation efforts.