Financial services need to become data fortresses: robust and secure

By Stuart Reed, VP of Products,Nominet

Like many industries, finance is well aware of the need to maximise the returns presented by digital.  However, financial institutions are tackling digital transformation at a pace and scale not common across other sectors. The question is, is this at the expense of security?

To explore this, Nominet recently commissioned a survey of CISOs, CTOs and CIOs at financial services providers across the UK and US, looking at the intersection of digital transformation and cyber security. It sought to explore how banks can manage third party risk, innovate, and meet evolving customer expectations while mitigating their exposure to cyber-attacks.

An appetite not to be left behind

Traditional banks have become increasingly vulnerable, juggling a myriad of challenges. Often they are having to reinvent themselves and come up with new and innovative ways to ride the wave of disruption. Mobile technologies, cloud platforms, and big data are just some examples of next generation technologies bolstering the capability of financial services institutions to improve cost efficiencies and remain relevant in today’s digital age.

Customer banking habits have shifted to expect an “always on” and “always connected” experience, and banks are aligning their services with these expectations.  According to the report, around half (49%) were implementing digital transformation programmes to keep pace with evolving customer behaviours and preferences.

But, while digital transformation might be seen as the answer to securing a bank’s future, the evolving cyber landscape means that many may be compromising themselves in the hunt to become more innovative.

Financial services institutions are in a constant battle to arm themselves against the threat of attackers trying to breach their networks and siphon off high-value data. With the majority of customers managing their finance online 24/7, a bank’s IT network is a treasure trove, hugely attractive to cyber-criminals.

Awareness of this is not lacking.  In Nominet’s survey, many were mindful of the risk exposure such digital programmes could have on their business, with about half (48%) claiming a threat to cyber security was the single biggest risk by its implementation. Over half of correspondents (53%) were equally, if not more, concerned about the increased attack surface presented by digital transformation, which now extends beyond the four walls of a bank branch.  The majority (64%) are also worried about the exposure of customer data.

A complex environment of incidents and regulation

Incidents match this increased concern. In the last year in the UK, financial services firms reported a 1000 percent increase in incidents to the Financial Conduct Authority (FCA).[i] According to the FCA, 21 percent of these were triggered by third-party failure, 19 percent from hardware or software issues, and 18 percent were caused by a change in management.[ii]

The regulatory burden is also growing for financial services firms.  On the other side of the Atlantic, many regulators believe that hackers now pose the greatest risk to the US financial system. In response, they have considered pooling resources to assess the cyber defences of America’s top banks.

In the UK, GDPR has drastically increased potential penalties on companies found to mismanage customer data. 47 percent of respondents cited compliance with new regulations as a driver for digital transformation to modernise their processes and operations.

A matter of timing

The reality is that, despite the rise in UK financial services firms falling prey to cyber breaches, businesses are failing to build security into digital transformation initiatives from the outset. Only around two in five admitted considering security, with one in five either leaving it to the pre-implementation or implementation stages. Worryingly, one in ten admitted to putting it off until their transformation was actually underway, and a handful confessed to giving cyber security no thought at all.

The majority of financial institutions are now opting to outsource essential back-office processes to simplify and streamline operations. 82 percent of financial services providers outsourced their digital transformation efforts, for example. But, while using third-party vendors boosts in-house capabilities and adds value in terms of domain knowledge and technical expertise, it also heightens the exposure to risk. It doesn’t matter if a third party is to blame for the misuse of data; under GDPR the company itself is responsible for the data. It’s therefore important to strike a balance and look at the digital transformation strategy through a lens of cyber to mitigate the misuse of data or a breach in the network.

As banks become more forward-thinking and innovate for the future, they must also keep a watchful eye on the present.  Security teams need to be deeply embedded in all digital transformation initiatives from the very start.  It should not be a question of securing infrastructure once a project has gone live, rather building in security from the outset as part of the planning phase. Without this, digital transformation will always present as many risks as it does opportunities.

Control vs visibility

Furthermore, whilst embracing cloud based models inevitably means relinquishing a level of control to a third party, it is essential to recognise that the responsibility of data still remains.  As such, understanding where that data is, how it is accessed, who can access it and ensuring interactions are both expected and legitimate are crucial.  Arguably having visibility across the network (be it on premises, in the cloud or a mixture of both) is more important than ever before.  The common denominator linking networks regardless of complexity is the Domain Name System (DNS).  DNS based traffic flows between network in all organisations and therefore if utilised as part of the security stack can provide valuable information regarding malicious and suspicious behaviours along with identifying data theft through DNS “tunnelling”.  Having visibility and actionable intelligence at this layer provides the holistic view often missing at the network level and can help security teams reduce their digital attack surface and quickly respond to an identified breach before it causes harm.

 [i]https://www.bbc.co.uk/news/technology-48841809

[ii]https://www.forbes.com/sites/soorajshah/2019/07/01/finance-firms-reported-staggering-819-cyber-incidents-in-2018–12-times-more-than-2017/