Académique Documents
Professionnel Documents
Culture Documents
says Vicky Shah, founder of the security firm The Eagle Eye, and
banks need to start proactively educating their employees and
customers to prevent cyber threats from persisting.
Banks should work on improving awareness of the different
threats that currently exist, including e-mail
fraud, phishing and malware.
"Banks need to work on how to have affective customer awareness
programs as far as cyber fraud and banking fraud are concerned,"
Shah says in an interview with BankInfoSecurity.com's Tom Field
[transcript below].
The technology currently in place, as well as the infrastructure, is
fairly secure, Shah says. Financial institutions need to make sure
they are addressing security concerns and following the guidance
that's already out there.
A notification was sent out a few months back by the Reserve Bank
of India stating that every bank needs a mandatory CISO position
to be accountable for the risks. Other standards, such as one-time
passwords, have helped to protect Indian banks and their
customers.
In an exclusive interview about cybercrime in India, Shah
discusses:
His new book, "Are You Protected?";
TOM FIELD: To start with, why don't you tell me a little bit about
yourself and your experience in both information security and
cybercrime?
VICKY SHAH: I've been working in the information security domain
for over seven years now. In terms of educational qualifications I'm
a master of computer applications, having two diplomas in IT and
cyber laws. I was a forensic examiner from 2009-2010 and a lead
auditor in ISO 27001. I'm also preparing for my CFE, certified
foreign examiner. It's been a great experience that started seven
to ten years back with NASSCOM. NASSCOM is India's IT industry
association. My primary job was to create law enforcement
agencies with the association of cybercrime techniques. I grew into
an administrator and management role in about two years. Lastly,
when I left I was part of DSCI, which is the Data Security Council of
India, an initiative by NASSCOM which is a self-regulatory
organization and was instrumental in setting up the same. Also, I
have had a chance to work with the IT industry, the regulators and
compliance authorities. Now with my firm, The Eagle Eye, I'm
working with various privacy industries comprised of insurance
banks, loan departments and police agencies.
In terms of experience in cybercrime, I've been fortunate to work
in several cases. We provide technical assistance to law
enforcement agencies in India, because here now law enforcement
is capable of investigating these cases. Five years back that was a
different scenario. We basically help companies in considering and
it's for everybody who uses technology because there are many
definitions and explanations that are very confusing.
For example, people are always confused with hacking and a
denial-of-service, because both, in terms of concept, are the same
as far as the secure access is concerned. This handbook attempts
to clear misconceptions and provide a business understanding
with India being the focus. It also helps people outside of India
who want to do business in India as to what are the rules, laws in
India and what are the governing rules which would be applicable
to them if they are using any IT in India, IT infrastructure or setting
up new IT infrastructure in India.
It's a handbook which aims to build awareness about cybercrimes.
And there are about 54 types of cybercrimes which I have
particularly mentioned in my book, which is an FAQ and questionand-answer format, with the crime definition, example, the rich IT
law it falls under and what the punishments specific for it are. It's
more of an intellectual book. It has no context of various cyber
cells across India, whom to contact, what to do, how to report the
crime or how to protect and prevent one from being a victim.
Usually IT users are victims of various offenses, mostly
unknowingly due to the lack of awareness or due to intentional or
unintentional crimes which are committed by the Internet or
actual people. To summarize, the threat to the Internet is
unpredictable, but it's still manageable. This book aims to give
answers.
people are collecting and handling the information of customers they are the biggest challenge. That's why I keep on saying human
behavior is the biggest risk in security, specifically in bank security.
In a nutshell, the banks need to work on how to have affective
customer awareness programs as far as cyber fraud and banking
fraud are concerned in order to reduce this thing.
FIELD: What would you say are some of the specific risks to both
the consumers as well as the corporate customers of the banks?
SHAH: Consumers always want a secure environment, a peace of
mind kind of feeling. Suppose a customer wants to do some
transaction online, he or she wants their systems secure, their
data not known to others and their finances safe. But at the same
time their security and responsibility is in their hands. No bank can
provide a facility. They are just a facilitator to provide you a service.
They can't guarantee you 100 percent security in terms of the
password laws or ignorance of the user.
From the corporate perspective of corporate customers, their risks
are more to do with the sales and the websites. And in terms of
the consumer it's more individualistic where they're concerned
about their accounts and the financial part of it. There are two
different perspectives here. For the consumers' it's more about
individual requirement, protection of data, theft and hacking of
their accounts. Whereas corporate customers would be more
worried about the larger spectrum of the said brand reputation,
which could be lost with the risk.
gap. But the amendments have given new scope, ideas and
thought processes. Earlier they were very vague in terms of
actually what to do and how to go about it, but now the new law
after the amendment is fairly good.
Also, I would like to highlight that ignorance of law is not
acceptable. Most of the IT users do not know the many useful
provisions which are there. It also applies to corporate. They're just
focusing more on the infrastructure and not on the other aspects
which the law provides. With India most challenges come in
developing criminal law procedures, because the context of crimes
that involve the internet or the computer are different. A lot of
technologically associated challenges are changing and faced with
new challenges. In a nutshell, the laws are fairly there. We have
good company laws. The IT Act, corporate affairs and the company
laws are there, so things are stable.