The Digital Banking Club’s latest debate focused on the topic of progressive security. Clayton Locke said that financial institutions must go beyond perimeter defences to deploy new technologies smart enough to defeat current and emerging threats, keep their data safe and protect their customers. Patrick Brusnahan reports

Held at the prestigious Law Society on Chancery Lane, the Digital Banking Club’s first debate of 2015, before a packed room of over 120 attendees According to Intelligent Environments, 87% of customers would change provider if they thought security of their digital banking application wasn’t good enough and 65% of consumers want to see their current provider deploy more security measures, so this side of financial services is clearly non-negotiable.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Chaired by Douglas Blakey, group editor of Timetric’s consumer finance titles and Chairman of The Digital Banking Club, the debate covered many aspects of this theme, including security vs. usability, the evolving nature of cyber-crime, the consumer as a possible weak link and financial services’ attempts to improve security on all sides.

Clayton Locke, CTO of Intelligent Environments, opened the debate with the point that banks must move beyond an all-or-nothing authentication perimeter. What was needed, he argued, was a continuous assessment of risk.

He said: "In the past, security and usability were often viewed as mutually exclusive. Now we are compelled to move beyond that way of thinking – we need more of both.

"Progressive security holds the promise of banking applications that tailor the balance between usability and security dynamically for each user, in the user’s context, in real time.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

"The information stored in our systems has significant value and the criminals trying to steal it are technically sophisticated and well organised. Increasing the height of the wall won’t help if there are holes in it. Attackers don’t have to break through the perimeter if they can trick a user into letting them in. Despite years of end-user education, people continue to pick dreadful passwords and fall prey to simple-phishing attacks. The weakest point in most security systems is the human element.

"Banks and financial services companies must go beyond perimeter defences to deploy new technologies smart enough to defeat current and emerging threats, keep their data safe and protect their customers. By focusing only on the perimeter, the user experience takes a hit."

Michael Soppitt, director of digital risk and information security at Parker Fitzgerald, agreed and added that perimeter-based defences don’t work as digital changes the idea of risks themselves. He said that the ‘economics of crime have changed forever’.

Locke added that progressive security could be the answer, but only if the software was malleable, such as being able to work in real time and not as a static rule. One example he gave was that certain banks deem it unacceptable to show something as simple as a bank balance without logging in.

The security issue is a serious one. Despite there being more security tools than ever, cyber-crime has shown no sign of halting in the financial sector. Online fraud increased by 71% in 2014. In 2013, 62% of records stolen in online data beaches were credit and debit card data.

The last 12 months saw a 50% increase in the number of declared data breaches and 7 of the 10 worst data breaches of all time, including one attack on JPMorgan Chase, according to the Breach Index Level. Shockingly, over 500 million financial records were stolen in 2014.

Peter Neufeld, UK & EMEIA head of digital advisory at EY, believed that consumer education was critical in security otherwise ‘some policies would do more to irritate customers than protect them’.

Consumers’ role in their own security was an interesting point. Orna Joseph, head of cyber communications (serious and organised crime) at the Office for Security and Counter Terrorism in the Home Office, said that her work involves bringing ‘responsibility back to the individual’.

Shashidhar Bhat, head of digital products EMEA at Citibank Consumer, argued that ‘the customer is the weakest link’ in the security process. However, he added that there’s a ‘definite answer’ to this problem, but the situation is improving. Soppitt suggested that one possible answer was ‘organisations doing more so the customer has to do less’ and that ‘consumer education is absolutely key’.

Of all the possible solutions offered, one that was shot down fairly quickly was biometrics. Soppitt suggested that ‘biometrics have merely reduced friction’ and nothing else, while Bhat said that ‘biometrics are weaker than passwords’ but they were ‘one brick in the solution to this challenge’.

Bhat stated that ‘from a banking perspective, we are making significant investments in progressive security’. Soppitt shot back and said: "From a consumer perspective, they are yet to see this expenditure affect them."

Locke brought up the debate of usability vs. security and whether the two terms were actually mutually exclusive. Bhat believed that ‘usability is a way to keep the good users happy’.

Locke added: "Traditionally, security and usability have been viewed as opposing priorities that need to be traded off against each other; users want freedom of access, security demands checkpoints and controls.

"However, there is a growing body of thought that suggests this is wrong. Security that sacrifices usability is not secure in practice. It’s no coincidence that two of the most pressing problems keeping corporate IT up at night – phishing and poor passwords – are problems caused in large part by poor usability. Passwords require us to create and remember large and random strings of characters; something humans find difficult and uncomfortable, so we don’t do it. To succeed in improving security outcomes any new approach security must embrace usability."

Another point of discussion was whether a financial institution’s level of security could be used as a differentiator in the marketplace. Bhat believed that security should not be treated as a competitive advantage and that if a bank claimed to have better security, it was just an invitation for hackers to attack. In fact, if banks did start competing on this issue, it could be a ‘race to the bottom’.
Soppitt argued that while security itself was not a differentiator due to security being ‘not a product, but a process’, the security experience is in fact a differentiator and banks should hone in on that.

Locke said that there needed to be a ‘standard for progressive security across the entire industry’ He said: "The industry must resist the temptation to make security a point of differentiation. We should share best practice and work together to gather intelligence that helps all players in the industry indentify threats to banking services."

Joseph concurred and thought that a ‘neutral brand’ would help with the security debate.

Locke added: "Progressive security seeks to establish a user’s degree of trustworthiness and makes applications more nuanced and analogue. Users are no longer trusted or untrusted in a single binary decision. Security and credential requirements can be dialled up or down depending upon context and risk assessment.

"To support that concept, the application’s interface has to become malleable. It must be able to change in real-time to support a range of different countermeasures such as different authentication factors, alerts and warnings or restricted access."

Could banks help each other out security-wise by sharing information? Neufeld felt that ‘there’s already a lot of sharing in the industry’, but Locke put forward the argument that ‘there needs to be more information sharing about cyber-threats’.

He continued: "Cooperation requires a common language and collective understanding of the threats and risk. Today, there are many basic security questions that banks don’t agree on, from acceptable PIN length to balance before log in.

This causes confusion for customers who are not in a position to judge what is secure. A practical way forward is the creation of a reference standard for progressive security. This standard could build upon CBEST, ISO27001 and BSI to become a reference for financial services firms seeking to build better security into their infrastructures."

One thing that the panel did agree on was that security will never be 100% secure. There will always be cybercrime. On this subject, Soppitt quipped: "The only way to avoid fraud is to not sell anything."

Locke concluded: "Customers are making faster and more frequent contact with their banks and getting more used to devices with excellent standards of design and usability. They expect the highest standards of protection and demand a fast, seamless experience unhindered by awkward security protocols. In the past, security and usability were often viewed as mutually exclusive. Now we are compelled to move beyond that way of thinking: we need more of both."

The Panellists
Shashidhar Bhat, head of digital products EMEA Consumer, Citibank
Shashidhar is head for Citibank Consumer in EMEA for all digital products, a role in which he champions the roadmap for digital channels. He has worked in operations, sales and extensively in digital in many geographies across the globe.
Shashidhar has a passion for improving digital engagement and enhancing the customer experience.

Peter Neufeld, UK & EMEIA head of digital advisory, EY
Peter is EY’s UK & EMEIA head of digital advisory within the financial services practice and has, over the last 20 years, provided strategic insight, creative thinking and reliable technology to some of the world’s most successful financial services businesses.

During his career, Peter has helped organisations to build digital capabilities through to maturity and steered award winning digital experiences, programmes and solutions for Global Fortune 100 brands. He led the digital function for a Global Fortune 100 company for EMEA delivering significant digital transformation programmes to clients in the financial services industry and he developed and oversaw the multi-year digital end-to-end transformation of a major UK retailer.

Orna Joseph, head of cyber communications (serious and organised crime), Office for Security and Counter Terrorism, Home Office
Orna is a communications professional who has worked in central Government for the past five years raising the public’s and SMEs’ awareness of fraud and cyber-crime prevention. She currently runs HM Government’s ‘BE Cyber Streetwise’ campaign which is a cross-government initiative funded by the Cabinet Office’s national Cyber Security Programme that aims to improve the public’s cyber hygiene by encouraging them to adopt basic good online behaviours.

Previously, Orna spent over seven years in the law environment world as PR Manager for City of London Police, where she advised on media communications and delivered awareness campaigns for the force on fraud and other security issues. Her background before joining City Police was in charity communications.

Michael Soppitt, director of digital risk and information security, Parker Fitzgerald
Michael is a director within Parker Fitzgerald’s digital risk and information security practice focusing on the design and implementation of market leading capabilities to support clients throughout each stage of their digital transformations. He has over 10 years’ experience delivering major architecture and business process initiatives at leading financial institutions and consultancies including Santander, Co-operative Financial Services, Accenture, Lloyds Banking Group and American Express.

He has helped develop the firm’s approach to cyber security, credit decisioning, fraud detection and digital risk and is a recognised expert in the field of digital risk, lecturing on MSc courses at Warwick University.

Michael holds an MSc in Human Centred Computer Systems, a BSc in Neuroscience from University of Sussex and is a published academic in the field of digital research.

Clayton Locke, CTO, Intelligent Environments
Clayton joined Intelligent Environments in 2012, taking charge of the company’s technology team. He brings over 30 years’ experience in the software development and consulting industry. He has delivered innovative products and solutions to clients n the financial services and telecommunications sectors, including online banking, FX trading, enterprise architecture and mobile application development.

Clayton is responsible for technology strategy, development and delivery of the Intelligent Environments product suite. He does this passionately, leveraging a lean software development approach to build high quality software products for the company’s solid base of blue chip clients.