Cybersecurity: innovation at its purest

Given the sophistication of digital attacks, Societe Generale has made cybersecurity a central focus in order to protect its customers, their data, and its Information Systems. Questions for Thierry Olivier, Head of Information Systems Security for Societe Generale Group, on cybersecurity issues in an age when banks are undergoing a digital transformation.

Thierry Olivier

What are the main cybersecurity issues for banks?

The threat of cybercrime and incidents stemming from it keep increasing, and successful major attacks are now seen by the public. With our customers' behaviours in handling new technologies and the transformation of our information systems to meet their needs, such as the cloud, big data/machine learning, mobility, and social media, traditional perimeter-based security models have been upended. We have moved on to more open models, which means that our exposed areas have grown larger. Criminal organisations have seen this reality, and have invested a great deal in bypassing the information tools made available to our customers and employees. Their attacks have been increasingly large-scale. Cybercrime has brought with it four major risks. The oldest risk relates to the availability of our information systems. However, it is essential that our customers can access their online banking services anytime, anywhere, on any device (ATAWAD). Next came external fraud, which targets customer-facing infrastructure (online banking sites, apps, etc.), and internal fraud, which targets the bank's internal systems. Finally, information leaks: theft of data, even limited in scope, may lead to us losing the trust of our customers, both individuals and businesses.

In light of these threats, what actions have been taken by Societe Generale?

Societe Generale is constantly investing in order to better protect its customers' assets and transactions. We ensure data security and adherence to bank secrecy. We take action in five areas: The security of applications and the security of all customer data, whether personal or banking related; strengthening the security we offer to our customers (with tools that are both reliable and easy-to-use), and building awareness and providing guidance to our customers as well as our employees, because nearly 90% of attacks worldwide take place through the company's own staff.

For example, as soon as there is a non-compliant transaction – a user who normally logs in during the daytime is seen doing so in the middle of the night – an alert is reported to our SOC (Security Operating Center) which monitors how all computing infrastructure and applications are being used, 24/7.
Our cybercrime prevention systems rely on four pillars: "Prevention, Protection, Detection, and Reaction".

How do customers experience this? Could you give us examples of solutions offered by Societe Generale?

One of our leading solutions is the dynamic security code, on the back of the bank card. This is a built-in digital screen that displays a new code every hour, making it impossible to reuse the data. In six months, nearly 100,000 of our customers have already adopted this solution. We also offer software to make the customer's own area on our website more secure: Trusteer, which helps the user ensure that the site he or she is viewing is not a fake site that has stolen Societe Generale’s identity. Another example is Secure Access, a solution dedicated to businesses that secures the authentication and validation of orders (payments or deposits).

How is our new technology helping ensure security and build digital trust?

In order to detect fraud, big data tools enable us to collect and consolidate large volumes of information. Next, in order to identify suspicious practices, we use mathematical models to extract suspicious practices and detect abnormal events. We define a standard model, a standard deviation, and when a transaction varies past that standard deviation, an alert is sent. The machine learning systems that make such detection possible, including the detection of fraudulent bank card transactions, are increasingly powerful, and have shown us things that we would have been unable to see without them.

Societe Generale and Wavestone are launching the Banking CyberSecurity Innovation Awards (BCSIA), a first for the banking sector. What is the purpose of these awards?

I believe that as a player in the real world economy, we have a social responsibility to assist and promote young innovative businesses in France and Europe. This strong open innovation initiative is aimed at building contacts and exchanges with key players in the ecosystem in order to jointly construct solutions to ensure the security of the Bank's systems and its interfaces with its customers, and retain its role as a trusted third party. Finally, it is important to show our customers that we are working hard to stay on top of things in protecting the data that they have entrusted to us; that we are continuing to develop and invest in innovation in order to anticipate new risks and offer innovative solutions for mitigating those risks.

Do your teams work with other cybersecurity players, like start-ups and research labs? Why are such collaborations important?

Today, banks – and large businesses in general – cannot go it alone when addressing technological changes. They need to rely on specialists. We have identified start-ups that appear interesting, which can provide solutions to the challenges that we are working on. For example, we are currently working to set up an Israeli solution identified early in 2016. Through our CERT (Computer Emergency Response Team), we do a great deal of work with the French National Information System Security Agency (ANSSI), with which we share information about new attacks. Guillaume Poupard, the chief executive of ANSSI, will be on the panel for the Banking CyberSecurity Innovation Awards. We are also partners of the Critical Infrastructure Cyber Security Chair supported by Télécom Bretagne, in collaboration with Télécom ParisTech and Télécom SudParis. Lastly, we have developed contacts with the President of INRIA (the National Digital Research Institute) with the goal of solving security issues for which publishers have been unable to provide us with satisfactory proposals. We want to identify new solutions that address security issues through perspectives different from ours today. This necessarily means openness and co-creation.