Reducing the Risk of Encrypted Communications in FinTech

For highly regulated industries, like finance, protecting sensitive data is not only a foundational requirement of regulation but it must also be prioritised due to the heavy weight of the duty-of-care that organisations have for their customers. Personal financial information is a highly coveted, valuable and ultimately saleable asset for cybercriminals looking to maximise profit, making the industry a prime target. As we’ve seen from past high-profile incidents, and examples of poor network security practices, the reputational damage and financial penalties for organisation found to be breaking data security legislation can be severe – like JPMorgan’s $200M fine for failure to monitor employee data practices.

This affirmative action is evidenced with 62% of the top 1,000 global websites now supporting TLS 1.3, the current best-practice standard that ensures strongly encrypted communications. Apple is also no longer supporting the initial versions of TLS 1.0 and TLS 1.1, now only supporting TLS 1.2 and strongly encouraging the adoption of TLS 1.3.

We are increasingly seeing attackers that breach an organisation’s perimeter are able to hide malicious activity within legitimate encrypted network traffic. This introduces a substantial blind spot for security teams. In the first three quarters of 2021 alone, attacks over encrypted channels increased by 314% from the previous year. These attacks aren’t necessarily cutting edge, but the lack of visibility into encrypted traffic gives intruders much greater freedom to operate on private networks with reduced risk of being caught. So, active decryption and inspection could be the answer. However, significant costs and complexities are created by trying to decrypt vast traffic volumes. What’s more, modern-day encryption protocols use Perfect Forward Secrecy, an encryption style that produces temporary private key exchanges between servers and clients, making generic decryption even harder.