Data breaches created some of 2018’s biggest, most immediate scare stories for the general public. Facebook’s revelation in the spring that the personal information of at least 87 million users had been shared was just one of the standout examples. Asia, as it happens, went one better, with January’s disclosure that the personal information of every single one of the 1.1 billion-plus registrants for India’s Aadhaar unique identity number was up for sale. In this kind of environment, who can blame banks and financial services companies for buffing up their cybersecurity credentials?

I wouldn’t want to be snarky or sceptical about such a critical issue when it immediately threatens the personal wealth of little people everywhere. So here’s my scratch audit of cybersecurity risks, in a classic Mr. Robot-style assessment of vulnerabilities. Both involve social engineering.

The first is the vulnerability of banks and financial services companies to human engineering because their structures and practices, necessarily, emphasise compliance and conformity with set routines. This leaves them vulnerable to anyone able to subvert and manipulate those routines. Technological sophistication won’t help because the attackers have access to the same tools as the defenders, and the limitations of a tool are dictated by the mentality of the tool-user. I’ll leave it to readers to conjecture whether the conformist, homogenous, group-oriented characteristics of some Asian societies leave their financial institutions especially vulnerable to this kind of attack. I do believe that a financial institution’s entire corporate culture, not just its data security manual, is the key battlefield. If you want to protect your customers and depositors, empower your people and make them responsible.

Read more @Asia Asset