For Australia’s financial sector, digital trust is the new currency

As adoption of banking apps grows, so does pressure to increase the range of capabilities the apps support, which has security ramifications.

Mobile app-based banking continues to find favour with Australians: more than two-thirds now use a mobile banking app or smartphone to do their banking, and it offers the highest customer satisfaction rating of any banking channel, averaging an 89.4% rating by customers of the ‘Big Four’.

As digital and self-service have been embraced by consumers, particularly in the form of increased use of apps, there’s inevitably pressure to build on that foundation.

A review of the apps of the five major Australian banks mid last year found customers wanted to see more capabilities and functionality added to the apps, particularly around money movement and management to improve financial wellbeing.

Some of these capabilities are being added in via third-party developed plugins created by fintechs, while other banks and credit unions are seeking to code these capabilities and features directly into the apps themselves.

Whichever app expansion strategy is pursued, a key concern will be that the additional functionality brings with it additional security risks. The larger the range of functions that the app can perform, the greater the amount of data it is likely to be handling.

All of these functions combine to create a broad potential attack surface for threat actors, who may view an ever-expanding banking app as a target that continues to increase in value.

Good security provides the confidence to expand apps

In a recent Deloitte survey, building digital trust was rated as the most important business strategy for success by financial institutions in the Asia-Pacific.

One of the top five benefits that cybersecurity investments had in this area was providing “confidence to try new things”, the survey found.

This means that at least in some banks, there’s a direct link between security and app capability growth; if a bank or credit union lacks confidence in their setup, they are less likely to try new things that could increase their security risk or exposure.

Banks and credit unions alike are acutely aware of their critical infrastructure role in Australia, and of the impact that a breach could have on customer confidence and goodwill. The critical nature of banking apps is often on display if they suffer downtime or degraded performance. Customer sentiment can turn quickly if they suddenly cannot perform critical tasks such as contactless payments at a supermarket register. And to be clear: these incidents aren’t often security-related. A security-related impact could prove catastrophic, particularly from an erosion of digital trust perspective, let alone what exposures individual customers could have.

Fortunately, credit unions and banking institutions tend to take a very proactive, best-practice approach to cybersecurity, and this extends to the oversight of their apps.

Many, for example, have focused on upskilling the defensive capabilities of their development teams. Without this education and verification, a lack of expertise may lead to teams taking shortcuts and/or lapsing into human errors, which could trigger configuration issues and code-level vulnerabilities.

Importantly for banks, these vulnerabilities could raise risk thresholds to a point that’s incompatible with, or in breach of, their regulatory requirements. Stringent regulations – including the Payment Card Industry Data Security Standard (PCI-DSS), the EU’s General Data Protection Regulation (GDPR) and additional global and national initiatives exist to address issues such as insecure data storage, insufficient authentication/authorisation, poor code quality and code tampering.

These standards create and drive vigilance among risk teams. In their pursuit of app expansion and increased customer satisfaction scores, it is important that developers or customer experience teams do not do anything that would undermine this vigilance and risk position.

Growing role-based security upskilling and awareness

To lay the foundations to proceed with banking app expansion with confidence, a holistic, people-driven security program is beneficial for creating the right mindset and foundational skills base.

A program that takes a dynamic approach based upon real-life threat management scenarios – as opposed to a static learning approach – will gain the most traction quickly. This can include the leveraging of motivational tools, such as rewards for successful “wins” and skills acquired.

Security learning pathways should also be available to everyone with a stake in the bank’s customer success. Developers are just one part of the ecosystem. Other parts of the organisation such as application security (AppSec) professionals and senior management also have key stakes in securing digital experiences and building digital trust. Executives, in particular, need to understand that security is not a “set it and forget it” discipline. A combination of tools and training is the most effective way to maintain the currency of security knowledge and best practices.

A positive security program focused on role-based education and awareness can lead to increased security engagement across the entire organisation, establishing the bank as “security-first.” From that position, unconstrained innovation can safely follow.

Written by Pieter Danhieux, CEO and Co-founder, Secure Code Warrior. Source: