Cybersecurity risks in digital banking: The case of Vietnam

According to the FBI's Cybercrime Report, since the start of the COVID-19 pandemic, cyberattacks have surged by more than 300%, and the cybercriminals’ associated costs have increased by more than 2,400%

Digital transformation and high-tech applications are currently not the sole tales of enterprises, but all people. The rapid development of technology and the heavy influence of the COVID-19 pandemic made us deeply aware of the importance of digital transformation in the Industry 4.0 era. Daily necessities such as food supply chains, means of transportation, payments and financial transactions, educational activities, government operations, and even resource extraction are becoming increasingly dependent on digital technology. This, however, places us at a constant risk of being a target of cybercriminals.

The current state of cybercrime

Cyber threats have rapidly increased in sophistication over the past few years. According to the FBI's Cybercrime Report, since the start of the COVID-19 pandemic, cyberattacks have surged by more than 300%, and the cybercriminals’ associated costs have increased by more than 2,400% (WEF, 2020). The tendency is consistent with Google’s research when revealing that the company has prevented more than 18 million phishing attempts by putting Corona's name on malicious files or links (FBI, 2020). Moreover, Cybersecurity Ventures also found that cybercrime associated losses are estimated to exceed $6 trillion in 2021 and $10.5 trillion in 2025, compared with just $3 trillion in 2015. This figure is equivalent to the world's third-largest economy by nominal GDP, only after those of the US and China (Steve Morgan, 2021).

The primary target of cyberattacks

The banking and financial industries have attracted greater attention from cybercriminals than any other sector. In Keepersecurity's global report on cybersecurity (2020), nearly 70% of financial institutions have been victims of cyberattacks. According to Insights' cybersecurity report (2021), more than 25% of malware attacks are directed at banks and financial institutions, which is relatively more than any other industry. This is most likely from the specificity of the banking and financial industry when the business model, and the provision of products and services of the industry are dependent on digital technology.

The case of cybersecurity in Vietnamese digital banks

Vietnam is currently ranked 21st in the world in terms of phishing attacks, with 673,743 attacks recorded in 2020. Only Thailand and Indonesia are ahead of Vietnam in terms of cyberattacks in Southeast Asia. According to a survey by the Vietnam Information Security Association, more than 50% of cyberattacks are aimed at banks and financial institutions. According to a report by the Department of Cybersecurity and High-Tech Crime Prevention, Ministry of Public Security, in 2020, banks lost nearly 100 billion Dong from 4,000 cyber-attacks, including a bank suffering a loss of up to 44 billion Dong.

>> Fighting hi-tech crimes faces challenges

In recent years, Vietnamese commercial banks have advanced in the digital transformation process. The goal of this process is to improve the efficiency of banking operations, increase customer experience, and especially facilitate customers' use of modern banking services. However, there are cybersecurity issues that go hand in hand with the digital transformation movement. Typically, the banking data system is breached to steal data or to perform acts that damage the assets of the bank and their customers. Attacks targeting banking customers, such as defrauding their accounts, impersonating bank employees, or sending fake bank links, and websites impersonating a bank to defraud customers, are also becoming more widespread. Therefore, it can be seen that digital banking activities in Vietnam are facing a very high cybersecurity risk because all three actors involved in digital banking activities, including banks, partners, and customers, are becoming potential targets for cybercriminals.

Proposed solutions to limit  cybersecurity risks

To address these problems, the scholars suggest three categories of solutions centered on processes, technology, and people. In particular, the process-related solutions will focus on detailing the steps in cybersecurity risk management together with detailed instructions to help banks identify and assess threats, thereby having active plans to prevent cybersecurity breaches and especially creating effective incident response plans. Meanwhile, the technology-related solutions are built on the basis of combining modern cybersecurity tools and techniques. Two technologies, including "Artificial Intelligence" and "Security Orchestration, Automation, and Response," are proposed since these are the two types of technology that are appreciated by banks around the world for their effectiveness in technology investment strategies to reduce cybersecurity risks (Accenture Security, 2020). Despite its potential benefits to ensuring bank network security, blockchain should be used with caution. Many reports have recently shown that there are still numerous unknown hazards associated with this technology. For the HR solutions, we suggest a proactive approach to raising awareness and fostering a cybersecurity culture throughout banks. In addition, recommendations to the government and the State Bank on issues related to the legal corridor and the development of a national cyber security strategy are also focused.

The last proposed solution is to limit  cybersecurity risks for a comprehensive digital banking model. The construction of a fully digital bank is the path of digital transformation that Vietnamese banks are aiming towards, even though it is not yet permitted in Vietnam. Based on the case of the C6 digital bank in Brazil (Keri Pearlson et al., 2020), we, therefore propose a comprehensive digital banking cybersecurity strategy on the basis of five main groups, such as the defense team, technical team, administration team, application security team, and cybersecurity culture team. Furthermore, cybersecurity risks can also be mitigated with the use of a three-layer risk control model. In particular, the first layer is related to operating procedures, whereas the middle layer is related to risk control and ensuring compliance with security principles, and the final layer is related to internal control.

Cybersecurity is also a major concern for banking customers. We propose some general advice for banking customers to protect themselves against cybercrimes, including keeping personal information as safe as possible when using banking services via electronic devices (using anti-virus software, firewalls on network-connected devices), beware of unscrupulous websites, fraudulent emails and messages, even phishing attempts to obtain customers’ personal information through attachments or embedded links), using different, strong passwords for different accounts (personal information should not be used to set a password).

To sum up, cybersecurity risk is one of the vital issues in the digital transformation process of the current Vietnamese banking system. To mitigate this risk, banks must implement synchronized solutions that include top security technologies, the development of an effective cybersecurity risk management process, as well as a strategy for fostering a cybersecurity culture.