By Nick Caley, VP of UK and Ireland, ForgeRock
Since the pandemic struck, the adoption of digital channels has grown exponentially across all sectors of the UK economy. This transition has left 96% of businesses and organizations open to some form of digital exposure, creating an opportunity for cybercriminals and fraudsters to pounce.
Financial institutions have experienced a dramatic increase in data breaches, fraud and ransomware attacks. This has sent alarm bells ringing, as they handle some of the most sensitive and valuable personal identifiable information (PII) and are a cornerstone of the UK’s economy.
The implications of this for financial services firms are costly, not only because of the value of data, but also due to the reputational harm and regulatory burden that follows. With our digital future set in stone and the frequency of breaches continuing to rise, the financial sector must make improving its security a priority.
Digitization and cyberattacks: two sides of the same coin?
Over the past year and a half, we have witnessed a massive digital migration, as people have transitioned to doing almost everything online. In response, the financial services sector has undergone a shift that has been both rapid and seismic.
50% of consumers now interact with their bank through apps or websites at least once a week, compared to 32% two years ago. As time online has increased, so have customer expectations. Customers now opt for online or mobile banks that offer friction-free experiences no matter what device they’re on, and regardless of whether they’re at work, at home, or on the road. In the competition to create ever better user experiences, financial service providers have had to get a better understanding of who their customers are, where they are and what device they are using, all through the improved use of data.
The speed and size of this digitization has left financial services vulnerable. Behind healthcare, it is the most heavily targeted industry, accounting for 12% of all UK data breaches. A new ForgeRock report reveals a 471% increase in ransomware attacks on financial services – going from only seven reported incidents in Q1 2020 to 40 in Q2 2020.
This large increase in ransomware and unauthorized access breaches suggests that cybercriminals are specifically targeting financial data at a time when institutions are most susceptible. In a rush to implement new digital solutions, some financial institutions have fallen short when building adequate security infrastructure.
On top of this, the financial sector is undergoing a period of regulatory transformation. Institutions are under constant pressure to meet regulations like the EU General Data Protection Regulation (GDPR), the revised Payments Services Directive 2 (PSD2) and Open Banking in the UK and EU. In a quickly changing landscape many have struggled to comply, placing their consumer data and security at risk.
The true cost of cybersecurity breaches
The severity of the problem of data breaches and specifically ransomware attacks cannot be denied. Following several high-profile cyber-attacks, the US Department of Justice declared that it would elevate investigations of ransomware attacks to a similar priority as terrorism. Meanwhile, Britain’s cyber defence chief recently warned that ransomware attacks now represent a bigger risk to UK national security than online espionage by hostile states.
In 2019, the financial services sector contributed £132 billion to the UK economy, 6.9% of total economic output. Given the value of financial data it is no surprise that cybercriminals constantly target this potential gold mine. And with the cost of ransomware attacks projected to rise to £14.9 billion this year, this is a trend that must be stopped.
But it’s not just a financial imperative: breaches can destroy a business’s reputation. One of the most notable UK cybersecurity incidents in 2020 was the ransomware attack on UK foreign exchange firm Travelex, which was forced to shut down its network due to a computer virus. It later emerged that the company had paid a £1.8 million ransom to the hackers – a move which was heavily criticised as encouraging more attacks. The company subsequently fell into administration and had to be restructured with the loss of 1,300 jobs.
Building airtight security infrastructure
To turn the tide of this growing threat, financial institutions need to prioritise bolstering their security posture – and there are three key steps they should take which will help them protect consumer data, prevent damage to their reputation and avoid the costs of a breach.
It is clear to security practitioners that attacks can come from anywhere: consumers, the workforce, or “things” – that is, connected devices. So companies must implement a solution which addresses all three of these potential attack vectors, not just one or two. The best way to do this is to build a security apparatus around the concept of ‘digital identity’ – that is, using real-time contextual data to identify who a customer, employee or connected device is and therefore what they should have access to. Taking an identity-centric approach has the added benefit that, once you have a sufficient level of assurance to know it’s the correct device , customer or employee then you can build better user experiences too.
Once a financial services firm has a security function built around identity, the next step should be to incorporate a ‘Zero Trust’ policy. What this means in practice is requiring that every user, on every device has only the appropriate level of entitlements and is authenticated before being granted access. To address the current level of sophisticated attacks, businesses should assume that no-one can be trusted – hence the name – until they have verified otherwise. Architecting a hybrid access control plane means financial services firms can always be sure, in whatever environment their services are deployed, that they know exactly who is accessing their system – and it moves the effective perimeter from the edge of the network to each individual store of data.
Lastly, businesses should make use of new applications of artificial intelligence in accelerating and streamlining this enhanced system of identity and access management (or IAM). Identity governance is an automated system, the most advanced of which make use of AI, which automatically identifies and applies appropriate user access. It also has the capability to identify suspicious access request patterns automatically, raising the alarm before a breach occurs. The effect this has on the business is that the security team tasked with policing user access can do so much more quickly, with less resources – and they go from reactive firefighters to proactive prevention.
Cybercriminals have made the most of the pandemic-induced confusion and chaos. The digital migration has exposed widespread systemic security vulnerabilities across the financial sector and has made it increasingly difficult to protect sensitive data. The implications of this have been severe for many, and if banks want to thrive in our new digital age they must make strengthening their cybersecurity a priority.
Combining an identity-centric approach to security, a Zero Trust posture, and a modern AI-powered identity governance solution are essential for financial institutions. The reward for getting it right will be continued customer loyalty and success – but the cost of failure could be profound.