By Ed Williams, EMEA Director of SpiderLabs at Trustwave
Financial gain is the primary driver for most cyber crime. It is therefore unsurprising that banks and other financial institutions are one of the most high-profile targets for threat actors today. Banks no longer solely exist as physical fortresses, charged with protecting clientele’s cash piles. For years now, they have also become online services where individuals can access and manage their finances digitally. Unfortunately, this makes it much easier for criminals, who no longer need to physically rob a bank, but can cause extraordinary damage from their living room.
Now, as cloud adoption accelerates, the target placed on the backs of financial organisations continues to grow. Banking technology is a major part of this evolution, including mobile applications that collect personally identifiable information (PII). The advancements in such technology have made calls for greater developments in online security to protect the evolving institutions. Currently, 70 percent of organisations hosting data or workloads in the public cloud have experienced a security incident, with 66 percent actually leaving back doors open to attacks through misconfigured cloud services.
To make matters worse, nearly 20 percent of attacks in the financial sector are caused by internal, financially motivated attackers. Not only do banks have to defend against external threats, but also those operating from within. So, what’s next for banks?
The trick to successful cloud adoption
Industries across the world are making the all-important move to the cloud, with many already experiencing the array of benefits promised. Financial institutions have joined the shift, profiting from more cost-effective infrastructure and stronger customer experience with platforms that alter depending on customer demand.
However, these benefits can be easily and quickly unravelled by the threat of cyber attacks. The need to plan, build, test and run new cyber resilience strategies becomes clear when considering the vast number of threats aimed at banks every day. It is critical that anything built for the cloud is also secured for the cloud. Innovation is one thing, but without the necessary security, all plans made will fall flat.
Securing the supply chain
Another major weakness for financial institutions is their own supply chains. Criminals could gain access to the bank’s network through any one of its suppliers, increasing the overall attack surface. All of a sudden, the safety of the bank’s operations is also in the hands of third parties. Additionally, financial institutions themselves can become weak points for other companies, as they too exist within many supply chains. Often playing an intermediary role, banks assist with business transactions, including importing and exporting goods.
If a bank is hit, then all other companies involved in that particular supply chain could suffer, as without the financial assistance, business grounds to a halt. The recent SolarWinds attack is a prime example of what can happen when a supply chain is hit. When threat actors infiltrated the supply chain, malware was planted and deployed through an update on the Orion products sent round to thousands of customers. Recent attacks like these show that criminals are becoming more sophisticated in their techniques, and so more advanced forms of security are needed to match them.
Building a successful cyber resilience strategy
For those financial institutions looking to rebuild their cyber strategy to align with their growing use of cloud infrastructure, there are four key elements that must be addressed: plan, build, test and run. It is not a one-step saving grace that magically solves all problems. It requires time, effort and dedication. With planning being the first – and most important – step, banks should bear in mind the following points.
Firstly, it’s important to remember that a new environment demands a new security plan. Unfortunately, there is no ‘one size fits all’ approach to building a resilient security strategy, so the same approach will not work for both on-premises applications and the new cloud environment. No changes should take place until a well thought out strategy has been agreed by all parties involved. This applies to financial institutions moving to public and private cloud.
Secondly, nothing should go live without being properly tested. Part of the planning stage is to factor in sufficient and extensive tests, whether using an in-house red team or third-party company. Companies should not feel disheartened if issues arise at the beginning, this is perfectly normal, and should be expected. Rome wasn’t built in a day, and neither will an effective security solution be. Treating this exercise as an investment in long-term business continuity is the best approach.
And finally, using artificial intelligence (AI) and machine learning will not take the place of cognitive thinking. Automation, whilst a major part of advanced security solutions, should not be introduced with the intention of replacing human workers. It’s very easy to hype up the expectations of AI and other automated solutions, but it’s vital that financial institutions understand exactly what these technologies are being brought in to achieve. By automating processes, banks will free up human workers to focus on more cognitively challenging tasks, such as improving customer service. Never underestimate the importance of employees in the context of cyber security. Human intuition is as important as AI and machine learning.
Cyber versus physical security
When developing the cyber resilience strategy, financial institutions must take into account both the infrastructure hygiene, physical security and identity management. As clarified above, implementing this strategy is not a one-step process – there are multiple elements to consider and establish to ensure complete coverage. IT teams should work closely with physical security teams to gain a business wide perspective. This could include incident response and forensics, penetration testing and application security and security research.
Looking internally, network access should be kept on a short and strict leash, with only the necessary permissions being granted for employees to do their jobs. Moving to the cloud should make day-to-day processes more efficient and facilitate flexible working, but only when deployed with an effective security strategy. Banks and other financial institutions will remain at the centre of criminal activity, so they should be prepared to meet the threat actors head on.