Arab Banks: Rising to the Security Challenge

Today, many of the region's banks have underlying technology systems that can match or outstrip their international peers and have cashed in on the lack of technology legacy to do so. While western banks wishing to go aggressively on line may face the problem of harmonizing existing technology infrastructures with those of the future, many regional banks had only manual back office operations and hence have been able to adopt world class technology systems from the outset without having to upgrade existing networks or infrastructure.

But the speed of the automation process - some 20% of local banks already have full transactional e-banking services and many more are developing them -- has brought with it fears and concerns about the level of associated security and the extent to which Arab banks are aware of the security implications of going online. Just recently the storm blew up in the Saudi market after a local IT consulting firm suggested that the country's domestic banks were less than secure. The news hit the UK's Financial Times which cited the consultant as suggesting Saudi banks were behind their international peers in terms of security issues and, as such, excessively exposed to cyber-crime.

Needless to say, the banks were quick to respond and brought in the support of competing technology consultants. The local Saudi paper, Arab News, subsequently quoted local IT house executives as saying that Saudi banks have information security systems comparable to those of banks in Europe and the USA and that suggestions to the contrary were simply 'an act of sabotage and grounds for a libel action.' The paper noted that one local bank had lodged an official complaint with the Saudi Arabian Monetary Agency (SAMA). The banks themselves questioned where the information came from in the beginning since none were aware of a security audit of local banks and questioned the credibility of the source.

Arab News went on to point out that the Kingdom's ten commercial banks receive frequent security advice from SAMA and suggested that 'IT security of Saudi banking networks is at the same level of banks in Europe and North America.' The paper also pointed out that the kingdom regularly hosts events addressing the issue of online security, BS7799 information security standards and how Saudi banks can achieve this certification. Experts working in the market say that local banks are keen to achieve the highest level of information security and are fully aware that information security equates with customer confidence.

Many of the domestic banks during the past year or so have hired international consultants to address the issues and have completed multiple security related tasks with the banks including penetration testing, risk assessments, and upgrading information policies and procedures. Indeed, increasingly local banks are allocating substantial budgets for investment in IT security systems and are working very proactively to enhance their information security.

However, comparisons between local and international systems are not always useful. Cyber-crime defies boundaries and defies IT sophistication. If regional banks are moving online, like their international counterparts, they must constantly and aggressively develop and online security strategy. Cybercrime can hit international and regional banks equally powerfully and equally regularly. Banks, and customers, need to be aware that the move online is not simply a move towards greater automation and lower costs, it is also a move towards greater security vulnerability, without a fully tried and tested security system to go with it.