The financial services industry remains at great a risk as ever from cybersecurity threats, despite regulators taking an increasingly hard stance on data protection. If they haven’t already, then the £2.5 million stolen from 9,000 Tesco Bank customers and 146 million records of US consumers stolen in the Equifax breach should be causing alarm bells to ring; and within a matter of months, there will be no quarter given to banks who don’t have proper cybersecurity and data protection processes in place.
However, general thinking around cybersecurity models is flawed, and the heavy focus on regulatory compliance is unhelpful. Whilst regulations such as the new General Data Protection Regulation (GDPR) and New York State’s DFS Cybersecurity Regulation rightly put ever greater pressure on data protection, fundamentally, the current ‘protect’, ‘detect’, ‘react’ approach is no longer fit for purpose.
Instead, argues Dan Panesar, VP EMEA, Certes Networks, firms must focus on developing a far more robust security posture based on the critical element of breach ‘containment’; and this can only be achieved by adopting a Zero Trust approach to cybersecurity.
A Prime Target
In 2016, the financial services industry was attacked 65% more than the average organisation across all industries, and according to IBM, 200 million financial services records were breached in 2016, a 900% increase from 2015.
The motivation to attack the industry is not likely to diminish. The goldmine of sensitive data – from credit card to consumer details – means that financial institutions are going to remain a prime target from hackers trying to find weaknesses in the network so they can get in. And whilst the regulators are taking an increasingly hard stance on data protection, organisations that take a regulation-only approach to cybersecurity are actually putting themselves at greater medium- to long-term risk.
The reason should be apparent: by the time most regulations are implemented, they can be 24 months old, resulting in security postures that very quickly become out of date. Moreover, they actually provide hackers with an ‘access blueprint’, as weaknesses in the security model that are not covered by regulation are clearly visible for any hacker to exploit.
Innovation is needed.
Zero Trust Security
The solution lies in the Zero Trust model. A phrase initially coined by Forrester, the Zero Trust approach to cybersecurity abolishes the idea of a trusted network inside the corporate perimeter. It assumes that you can no longer trust anything that is within the extended infrastructure – no users, apps or devices. It assumes that the network can be compromised at any time, by anything.
This means decoupling security from the complexity of the IT infrastructure and addressing specific user/ IoT device vulnerability. Instead of firewalls, network protocols and IoT gateways, organisations should consider data assets and applications; and then determine which user roles require access to those assets.
Building on the existing policies for user access and identity management, organisations can then deploy cryptographic segmentation to ensure only privileged users have access to privileged applications or information. Each cryptographic domain has its own encryption key, making it impossible for a hacker to move from one compromised domain or segment into another – it is simply not possible to escalate user privileges to access sensitive or critical data, meaning that in the inevitability of a breach, the threat is both contained and rapidly identifiable – and any fallout limited.
If the financial services industry is to keep itself out of the headlines and prevent high profile data breaches, the attitude needs to change. The heavy focus on regulatory compliance over data security means that financial institutions will not achieve the robust security posture required to protect data against the continually evolving threat landscape.
It is time to ensure that innovation plays a part in security best practice, and deploy solutions that are in line with a Zero Trust approach.