Request a Demo
Request a Demo
Request a Demo
Request a demo
Core Banking System Security: Why the Human Element Matters Most
Expert's view
04/12/2025

Core Banking System Security: Why the Human Element Matters Most

In core banking security, firewalls, encryption, and intrusion detection systems tend to dominate the conversation. But after years of assessing financial institutions across emerging markets, one truth has become impossible to ignore: technology is rarely the weakest link. People are. From harmless shortcuts to culturally driven habits, the human element creates the greatest security exposure, and it’s exactly where the smartest institutions are now focusing their attention.

After discussing what to look for when assessing a core banking system, I want to address security. But rather than focusing on firewalls and encryption protocols, I want to talk about what I’ve found to be the most critical security factor: people.

The Post-It Note Problem

During a visit to an institution in West Africa that had recently invested in advanced security infrastructure, I noticed something concerning: login credentials written on a note tucked under a keyboard in the IT department. When I mentioned it, the response was casual – “Oh, that’s just for the backup administrator account.”

This small detail could potentially bypass their entire security investment. And this isn’t an isolated case. Throughout my career, I’ve seen passwords shared via WhatsApp, admin credentials in unencrypted spreadsheets, and staff sharing logins to help colleagues who are running late.

The issue isn’t that people are careless. It’s that security measures often conflict with the need for efficiency and convenience. When security is too cumbersome, people find workarounds. The challenge is designing security that’s both effective and practical.

Training Beyond Compliance

I often ask staff about security protocols during assessments. The responses are revealing. In one institution, a teller confidently explained the password policy – minimum length, special characters, regular changes. But when I asked what she does if she forgets her password, she admitted keeping a coded version in her notebook.

This gap between policy and practice is common. Institutions invest in security systems but under-invest in security culture. The most effective institutions I’ve seen treat security as an ongoing conversation rather than annual training sessions. They discuss real incidents, conduct regular simulations, and create space for questions without judgment.

Social Engineering in Practice

While technical threats get attention, social engineering represents significant risk, especially in markets where personal relationships are central to business culture.

Christophe Bretagnolle

Digitalization Expert

With more than 20 years of experience, supporting financial institution with their digitalization projects and strategies, Christophe Bretagnolle is a recognized expert of the banking sector in developing countries, particularly in Africa. His wide knowledge of the solutions and requirements for financial institutions to navigate the evolving and shifting digital landscape give him a unique and critical view of the present and future of information technologies within the development finance sector.

I worked with an institution where someone called the help desk claiming to be a branch manager who’d forgotten his password. The support staff reset the credentials without proper verification – they were trying to be helpful and didn’t want to inconvenience a senior colleague. The attacker accessed sensitive client information before the breach was discovered.

This wasn’t a technical failure. It was the intersection of helpful culture and insufficient verification procedures. The institution had focused security investments on perimeter defense but hadn’t prepared staff to recognize and resist social engineering.

Access Control: Theory Meets Reality

Access control sounds straightforward until you implement it. I’ve seen numerous institutions where permissions evolved organically – someone needed temporary access for a project, then it was never revoked. Staff moved roles but kept old permissions “just in case.”

In one case, I found a junior staff member with full administrative access to the core banking system. Not because his role required it, but because he’d helped with a system migration two years earlier and no one had reviewed his permissions since.

This is where a well-designed CBS becomes crucial. Good systems make access management visible and manageable. They provide clear views of who has access to what, enable regular reviews, and flag unusual patterns. Poor systems make access control an administrative burden that gets neglected.

The Small Institution Challenge

Smaller institutions face particular challenges with segregation of duties. I worked with a microfinance institution where the same person entering loan disbursements also reconciled accounts. The branch manager’s response: “We know this isn’t ideal, but we trust our team.”

Trust is important, but it shouldn’t be your security strategy. Proper segregation protects honest employees from suspicion when discrepancies occur and creates clear accountability.

The solution isn’t abandoning segregation but being creative about implementation. Modern CBS can provide separation through automated workflows, system-enforced dual authorization, and comprehensive audit trails that enable effective oversight even when real-time segregation isn’t possible.

Audit Trails That Actually Work

Many institutions implement audit trails for compliance but rarely review them. I’ve seen systems that meticulously log every action but where logs sit unexamined unless a problem is already suspected.

In one institution, audit trail review revealed a staff member regularly accessing client accounts outside their portfolio. When questioned, she explained she was “just curious” about wealthy clients. This had continued for months, logged but unnoticed.

A good CBS doesn’t just record actions – it enables meaningful review. The best systems use automated alerts for unusual patterns: access outside normal hours, multiple failed login attempts, changes to critical configurations, or unusual account access patterns.

Finding the Right Balance

The most delicate aspect is balancing protection with operational efficiency. Too much security creates problems as serious as too little.

I’ve encountered institutions where security was so burdensome that staff routinely found workarounds, creating more risk than simpler security would have. In one case, password requirements were so complex that staff developed systems for rotating through password variations, defeating the purpose entirely.

Effective security is designed with operational reality in mind. This is another area where CBS selection matters. Systems should support multi-factor authentication that works with limited connectivity, approval workflows that acknowledge time zones and working hours, and password policies that are strong but practical.

Making Smart Security Investments

When it comes to security investments, the cheapest approach rarely works, but the most expensive isn’t necessarily the best either.

Smart investments should be driven by actual risks, not perceived threats or vendor marketing. Some investments pay for themselves quickly: multi-factor authentication significantly reduces account compromise at relatively low cost. Regular access reviews eliminate unnecessary permissions. Staff training prevents costly incidents.

The key is addressing multiple layers: preventing unauthorized access, detecting unusual behavior, limiting damage if breaches occur, and enabling rapid response. A well-designed CBS supports all these layers through its built-in security features and controls.

The Bottom Line

CBS security isn’t about implementing every possible control. It’s about finding the right balance – protecting against real risks while enabling staff to work effectively. And it starts with recognizing that security is fundamentally about people and behavior.

By focusing on these human elements and selecting a CBS that supports practical security implementation, institutions can create protection that actually works in practice rather than just looking good on paper.

Author: Christophe Bretagnolle

Recommended

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our Data Privacy Policy.

I accept My Preferences
Data Privacy Policy
Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

Necessary Analytics Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems.
Technical Cookies
In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec
Decline all Services
Accept all Services