While the increasing adoption of security technology has seen a marked reduction in the volume of manpower required for banking and financial institution security, it would seem that the optimum choice would be a combination of the best of both domains. Hi-Tech Security Solutions chats to industry specialists about the security mix, cybercrime and the onslaught of artificial intelligence (AI).
Franz Kersten, at surveillance camera manufacturers, Panasonic, points out that previously, security guards commonly patrolled set routes on client premises, hopefully identifying and alerting management to risks or threats. However, this role has been diminished due to the deployment of surveillance cameras which allow one to have one operator in a room viewing multiple sites simultaneously, without the need for feet on the ground, unless an incident demands this.
An added benefit to this remote monitoring is that it is no longer necessary to place unarmed Grade C guards in high-risk areas where the possibility of attack is high. Deployment of armed reaction teams is activated only when the entire risk has been assessed on camera.
“From a practical perspective, the cameras eliminate any situational identification issues that could occur where a guard has limited or damaged vision. Financially speaking, clients can now move from an operational cost model to a capital expenditure model, with all cameras being linked to an SLA which defines a set maintenance plan.”
Colleague Gert Janzen adds that the backend of systems enabled with video analytics and facial detection is showing a marked improvement and therefore the dependence on manpower can be reduced as many of their functions are being replaced by embedded intelligence in security systems.
Integration remains the key
It must be highlighted that technology or manpower in isolation are never the solution, says Kersten. “They simply have to work in synergy to make security measures sustainable. Migrating to an automatic system with surveillance as an active tool rather than just passive add-on is highly beneficial, but these benefits need to be communicated to the end-user.
“System integrators need to be creative when applying solutions, as this is not a paint-by-numbers scenario. It is important to carefully and methodically investigate client needs then match these to available technology, considering features and inter-system (surveillance, T&A and access control) integration.”
Ian Downie, of managed security services company, Xone, says that security technology is becoming smarter, to the extent that devices can inform users when things are working or out of service and can also automate processes. An example he cites is the replacement of the security guard at a high-risk restricted area entrance with an airlock procedure that requires electronic verification and passwords.
“IoT allows for technology to be smart enough to perform people’s functions whereas systems were previously much more limited. As a result, this automation becomes more reliable and objective, since it is easy to verify if processes are being carried out effectively, thereby reducing dependence on the human element,” he explains.
A centralised command and control environment, with integrated devices and that allows for the minimum amount of manpower necessary to comply with requisite processes, needs to be put in place. Integrated devices could include access control, visitor management, restricted area monitoring, cash handling facilities, money safety and the response to emergency alarms and notifications.
Integrating manpower and technology
According to Gus Brecher from video management systems developers, Cathexis, one can improve the effectiveness or efficiency of the manpower being deployed by adding technology to the equation.
“However, the reduction of manpower should not be the driving factor in the addition of technology. Ultimately, you should be aiming for a more effective security solution, with minimal errors, the ability to extract business intelligence out of the system if possible and, when there is a security incident, the security team must be able to react efficiently and effectively in the correct manner. The solution may, and often does, result in a reduction in manpower.”
Using video analytics allows one to trigger events intelligently and to initiate automated responses in the control room, thereby removing reliance on operators to make decisions. One also needs to consider the benefits that modern technology can bring to organisations beyond security. For example, people-counting within a banking hall or at an ATM can alert management to the fact that on certain days or at certain times, more staff or resources may be needed to ensure customer satisfaction. Another example is the flagging of VIP customers via facial recognition systems, whereby the system will alert management to the presence of the VIP in the building and enable the provision of improved service levels.
The virtual threat
Cybercrime is a real, global threat, with all IoT devices being a potential gateway into high-risk or sensitive areas. Kersten suggests that in addition to a firewall or VPN with security policies in place, one should consider encryption on two levels: SSL (closed) or proprietary, with one’s own data encryption; on the second tier an end-to-end solution in partnership with a recognised endpoint protection provider, using security certificates embedded in one’s hardware and software. In this way, one eliminates the opportunity for hackers to access user ports or interfaces.
“Panasonic uses two levels of data encryption: our own SSL, which is more secure than the more commonly known open SSL. The second level is a partnership between Panasonic and Symantec. This partnership adds a further layer of encryption and data protection and adds to the credibility of cyber-security embedded in the Panasonic i-PRO cameras,” says Kersten.
Downie cautions that there is a significant amount of legislation around cybersecurity which highlights the need for organisations to have the necessary preventative measures in place to effectively reduce the risk.
“It is important to remember that there are specific regulations around information privacy such as the PoPI Act. The measures therefore need to be at the cutting edge, while simultaneously respecting the privacy of individuals. The implementation of a centralised restricted data vault, run by a data control officer, is becoming more relevant. Staff across the board should be educated to be cautious about how they deal with emails, specifically where they are privy to privileged information.”
Strict protocols in terms of email passwords, other passwords and what emails can and cannot be accessed, should be a given. Similarly, firewalls and anti-virus software need to be vigorously maintained and scrutinised.
Policies and procedures
Brecher raises an interesting point: All the technology in the world won’t help if one does not have adequate security management procedures and processes in place. This is particularly relevant to both the security of access to data and the security of the data itself. He advises using encrypted communication channels and, when archiving data, the use of encryption keys. Cathexis personally uses dual RSA-1024 keys for signing data and an optional AES 128 blocking encryption with randomised generated passwords. In addition, archived video footage can only be played with proprietary Cathexis software.
“It is critical that end-users consider the PoPI Act and its implications when videotaping people and using this data. We are now instituting a process whereby there is automatic watermarking and overlay of video footage with a password required to view it in order to ensure that footage is not accidentally or deliberately leaked into the public domain,” says Brecher.
In a nutshell, he continues, the weak points are the peripheral devices such as cameras, with some of the less reputable brands providing backdoor entry. Intelligent network switches, controlling physical access to systems, and insistence on passwords all add up to a more secure cyber environment.
Getting the smarts
There has been a lot of talk about artificial intelligence (AI) and the pace of technology development is nothing short of astounding. Kersten believes that it is however, still in its early stages. “Ultimately, many organisations want their systems to learn and start taking over the functions of the human operator through deep learning and AI. AI is attractive to many as it does not have human characteristics and idiosyncrasies, such as fatigue and the skipping of critical details, and is therefore perceived as being more reliable and objective than its human counterpart.”
He points out that AI is not just limited to surveillance systems. Rather, diverse systems will start sharing information with each other, with AI being spread over many devices. Janzen adds that we all need to pay more attention to big data to help us to implement solutions and grow the features on cameras. The ideal, he says, is the consolidation of a big data company with a traditional security company, to provide a proactive approach to security solutions.
Downie says that as AI becomes more sophisticated, it provides one with the ability to quickly identify events that are not the norm and allows for monitoring of a scenario which can be acted on appropriately. As examples, he cites the monitoring of people entering restricted areas, unusual or unnatural behaviour, loitering, and objects left in restricted places. “As deep learning progresses, the system’s abilities become more refined and there will be a related reduction of necessary manpower. We see this in certain high-end manufacturing plants where robotics have advanced to a point where they almost run the plant operations.”
Brecher believes that the term ‘AI’ is currently being overused, but that it is, nevertheless, a reality. AI is being used to automate information-gathering in order to make informed decisions without necessarily having human intervention. Learning algorithms are therefore being posited as the solution in establishing norms in an environment and systems can generate alarms around what is considered abnormal. However, humans will still need to validate these alarms.
“AI can therefore reduce reliance on humans making decisions, but it will not in the foreseeable future replace the need for manpower. From an operational perspective, we can use AI to see what trends are prevalent, for example, that there are more people in a banking hall or retail environment on a Saturday and one therefore needs more tellers or security people at that time. AI would also enable one to discover incidents faster. One could also use it to undertake post processing of video footage. Cathexis uses three advanced search algorithms that process method data from cameras to analyse movement. This type of intelligence adds to both the effectiveness and efficiency of the system and reduces the time needed to search for a specific person on a video.”
Securing your digital identity
Schalk Nolte, CEO, Entersekt, comments on the security issues we face as the finance sector embraces the digital world.
As our world becomes more digitised, the information we want to keep private is increasingly at risk, and yet no-one wants that information protected by cumbersome security measures which do not fit in with our pace of living. The stage is now set for the large-scale adoption of super-convenient biometric technology, especially on mobile devices.
Different forms of biometric security have already begun working their way into the banking and payments industries; among these are face, fingerprint, iris, palm, vein and voi.
Everyone with a stake in digital banking and security has been tracking the rapid developments in biometrics, and debating the technology’s usefulness in the battle against cybercrime. There is little doubt that biometrics will play an important role in securing mobile services, particularly when viewed from the perspective of user convenience.
However, it is also fair to point out that biometrics can place enterprises and their customers at risk if deployed as the sole means of user identification and transaction authentication.
To effectively secure high-risk transactions, banks and other financial service providers need a strong base layer of security. An example is Entersekt’s Transakt platform where biometrics can be added via a plug-in, for increased risk levels or improved user experience.
Unlike usernames and passwords, which we can change at will, there is only one set of biometric data. If this falls into hackers’ hands, it is of no use for authentication purposes. The consensus amongst industry experts, such as the FIDO Alliance, is that we must limit the exposure of our private biometric data by not sharing it. Instead, we should keep it locked down on our personal devices.
There’s an app for that (of course)
We have recently launched a new digital commerce enablement tool called Connekt. The tool allows financial institutions to turn on new mobile payment services within their existing banking apps quickly and cost-effectively.
It works regardless of the underlying technology, payment endpoint, or merchant network involved. Card networks like Visa and Mastercard have developed new technologies to both enable and protect online consumers making cashless payments.
Innovations like tokenisation, app-to-app payments, 3D Secure, and mobile wallets – together with technologies like QR (scan to pay) and NFC (tap to pay) – make the number of payment options banks must consider and respond to overwhelming.
Connekt’s key advantage is that the bank’s mobile users will enjoy the same user experience for initiating and authenticating e-commerce transactions as for banking. There is no need for the consumer to download a profusion of mobile payments applications; they can access all the different services through a single trusted point – their branded banking app.