Table of Contents
Why Do We Explain Our Banking Cybersecurity Only in General?
Before we start explaining how we handle cybersecurity risks in our products, let us underline one thing: we will discuss most of them in general without mentioning specific tools and technologies. Why?
If we delve into specifics of security measures in digital banking, cybercriminals could use this information to their advantage. We prioritize our clients and our data security; thus, we shall not talk about any particular technologies. The details of our cybersecurity measures are Ailleron’s intellectual property and are shared only upon request from banks’ security departments.
How Do We Address Cybersecurity in Banking?
To begin with, we need to define the possible vector of cyberattacks in communication tools like LiveBank. This is closely connected with the three actors involved in such communication:
- Bank clients – individuals using online and mobile banking services.
- Banks – institutions providing financial services.
- Communication tool provider – in this case, Ailleron, the provider of LiveBank solution.
With that in mind, we can look at each of these groups separately and discuss how we (or the banks, since some measures, such as educating banking clients, are the role of banks, not the communication tool provider) maintain cybersecurity in different banking situations based on potential attack vectors.
Client Perspective on Online Banking Security: Guidelines for Safe Operations
When it comes to clients and digital channels in banking, education is the key to cybersecurity in banking. Unfortunately, this also means that it is an area where the most depends on banking clients and banks. However, as communication tool providers, we may also introduce some additional measures (e.g., two-factor authentication) that will bolster cybersecurity, yet still the most depends on the clients themselves.
What needs to be done to secure your bank from the client’s perspective? What do you need to teach the client?
- Using a safe environment – inform the client about the risk of using unsecured internet connections and exposing sensitive information in places where others can see them. The same goes for verbal communication, e.g., phone calls with your CS agents.
- Multifactor authentication – while our platform enables multifactor authentication, you must convince (or force) the client to use it for added security.
- Links and attachments – explaining the risks of clicking links or opening attachments from unknown sources is crucial.
- Official websites – finally, you need to raise awareness about using official websites when accessing banking services, as cyber attackers often try to impersonate banking web pages.
LiveBank facilitates communication with potential and existing bank clients, prioritizing data security. After signing a service agreement, the bank owns the data while we process it at their request. To meet high banking cybersecurity standards, we employ the following solutions:
- Internet connection limits – our system configuration allows you to limit access to communication channels to specific regions where your bank operates. This way, you can block traffic from potentially unsafe regions.
- EU-based data processing – LiveBank processes data in the EU, meaning that we need to adhere to the high data security standards. Most of our data centers are located in Poland.
- Content blurring – users can blur sensitive content in video banking to prevent unauthorized viewing.
- Bank identity integration – we integrate with the bank’s system to pass context to LiveBank, ensuring data security during interactions.
- Data retention mechanism – LiveBank uses automatic data retention mechanisms tailored to the meeting’s topic, limiting the amount of stored information to enhance security in banking.
- eKYC – we offer secure, remote eKYC solutions and integration with the mObywatel app.
- File scanning – files sent during file exchanges between banking advisors and bank clients are scanned with antivirus software to prevent infections.
- Remote document signing – we support remote document signing by integrating with e-signature systems, keeping the process within a single application.
- Access control – access to client data in LiveBank is restricted following the “need to know” principle and role-based access control (RBAC). The bank’s system administrators manage this.
- 24/7 availability – our communication channels are available around the clock, ensuring clients can access support whenever needed.
Bank Perspective on Digital Banking Security: Implementing Cybersecurity with Ailleron
When banks decide to implement customer engagement platforms like LiveBank, they start by setting specific cybersecurity requirements. These are usually based on internal and legal regulations and mechanisms (e.g., from the Polish Financial Supervision Authority or ISO standards). Ailleron has been addressing such requirements since 2013, when we first implemented LiveBank in mBank. This experience allowed us to adapt to new attack methods and design effective defense mechanisms.
Our first line of online banking security is regular penetration testing conducted by Ailleron… and our clients. Each bank conducts a security audit on Ailleron and LiveBank post-sale, pen-testing being a part of it, which lets us constantly improve our cybersecurity measures.
The key areas analyzed and our implemented solutions include:
Work Environment Security
- We follow strict policies and procedures for handling customer data, including incident response. These guidelines align with standards like ISO27001.
- We ensure our staff undergo relevant training, verifying their competencies through certifications.
- Business continuity planning (BCP) ensures organizational resilience during critical situations.
- We limit access to shared resources within the organization to specific teams and monitor employee activities.
- Data Loss Prevention (DLP) strategies prevent unauthorized data leaks.
- Workstations receive regular security updates.
Product Infrastructure Security
- Access to computing resources is governed by clear procedures. Changes require approval and are logged.
- Strong passwords and MFA are mandatory for all employees.
- Production environments (used for customer interactions) are separated from development and testing environments.
- We offer single tenancy for different clients, enhancing data separation and security.
- Infrastructure as Code (IaC) minimizes the risk of unwanted infrastructure changes.
- Internal network separation limits access to publicly accessible resources necessary for bank client use.
- Employee access to backend applications is restricted to the bank’s network, minimizing exposure to public internet threats.
Application Security
- Client data is treated as sensitive, with rigorous access controls.
- Bank employees have roles that restrict their access to client information.
- Access logs are regularly reviewed and updated to limit the risk of data leaks.
- Bank employees can only access the backend through the bank’s internal network to prevent Man-in-the-Middle (MITM) attacks.
- Our applications undergo regular penetration testing as the banking sector requires, leading to continuous security improvements.
- Application logs are anonymized and encrypted to prevent personal data breaches.
Provider Perspective: Ailleron’s Commitment to Cybersecurity in Banking
As a provider of digital products for the financial sector, we take data security in digital banking very seriously, meeting both the bank’s requirements and regulatory standards. What practices do we employ?
- Qualified personnel – our staff possess the necessary qualifications and experience in delivering financial solutions, facilitating effective communication with banks.
- Defined management policies – we separate development and client environments, adhering to security-by-design principles.
- Secure Software Development Life Cycle (SDLC)—our CI/CD processes include performance, integration testing, artifact scanning, and static code analysis.
- Post-implementation support – after implementation, we ensure prompt post-sales support, including incident management, in line with pre-defined procedures.
- High Service Level Agreements (SLA) – we offer high availability through monitoring tools and cloud-based banking solutions and services.
- Flexible integration – we integrate with various bank systems (e.g., CRM) to enhance the safety of customer interactions.
- Disaster Recovery (DR) and High Availability (HA) – we provide additional availability and backups across multiple regions depending on service criticality.
Digital Banking Security Measures – The Takeaway
This article covers only a fraction of our banking platform’s banking cybersecurity measures. This way, we ensure the safety of the bank’s customers’ data and the security of the banks and Ailleron itself. As a multifaceted discipline, cybersecurity demands a thorough understanding and addressing of the financial sector’s needs on multiple levels, and this is exactly what we do every day to ensure our solutions are secure.
You might also read: Digital Security and Trust: Building Confidence in Online Banking Services