In the Financial Services Industry, the Time for a Fresh Approach to Cyber Security is Now

Posted on by Tony Kontzer

Back in the Old West, banks were the whipping boys of criminals. Anyone with a gun and an eye for ill-gotten gain would target banks because that's where all the money was, and there weren't a whole lot of safeguards preventing someone from walking into the town branch and holding it up.

Today, pretty much any business that manages transactions or holds valuable data can find itself on the wrong side of the cyber crime equation, whereas old-fashioned bank robberies have become rarities. Make no mistake, though: in the Digital Age, banks are still the bad guys' favorite targets, whether what those bad guys seek is money or data (which they eventually turn into money anyway).

And while U.S. financial institutions have been the victims of many of the largest cyber breaches—hello, Equifax and JPMorgan Chase—hackers are targeting banks all over the world. Earlier this year, it was divulged that a coordinated attack targeted seven U.K. banks was made possible by a web site that enabled hackers to launch large scale denial-of-service attacks for less than $20. A couple of days later, three Mexican banks enacted contingency plans following a failed attempt to penetrate the country's electronic payment systems. More recently, a coordinated global attack infected ATMs in 28 countries with malware, allowing the attackers to complete nearly 15,000 transactions in just over two hours, eventually making off with 944 million rupees, or about $13.5 million.

While such incidents fly under the radar in comparison to an event on the scale of the Equifax breach, they still represent a trend worth watching: with all the practice they've had in locking down web sites, mobile applications and ATM networks, it seems that financial services companies are leaving a lot of entry points unwatched. Or at least underwatched.

Alan Platt, COO of security consultancy CyberHive, hit on this in a guest column for Data/Economy, suggesting that the biggest problem facing security leaders in the financial services sector is their own outdated strategies.

In the piece, Platt argues that most financial services firms focus their efforts on preventing breaches from happening, when they should be paying much more attention to human errors and other internal sources of breaches. To make his point, he cites a study jointly published by IBM Security and the Ponemon Institute that found that in 2017, it took an average of 168 days for U.K. companies to identify a breach and 67 days to contain it, which was slightly quicker than the year before but still a long way from real-time response.

Platt then pairs this fact with an assessment that one of the chief threats to financial services companies is the errors that result from their poor approaches to data management — errors that must be detected quicker.

"It's absolutely critical that banks and financial services businesses know about the breach in a matter of minutes or hours, not days," he wrote. "They can then mitigate the risk and avoid further damage to their systems or avoid data loss."

There's also the matter of the industry's increasing reliance on the cloud. As more and more financial institutions offload portions of their IT operations to cloud providers, they expand their digital capabilities and save money, but at a price: The numerous clouds any given financial services company uses create a lot of complexity, which in turn raises the security bar.

As a recent piece in CSO Online contends, "With every new cloud-based application, infrastructure, or software service added to a network, the number of potential entryways into the organization's network that cybercriminals can exploit increases."

There is good news, however, in the form of a bevy of emerging technologies that are spurring innovation in the security marketplace. From AI and analytics to IOT sensors and blockchains, new capabilities are bringing the promise of security tools that can expand an organization's security "eyes," and presumably stop more attacks.

But no matter how many fancy tools a financial services company uses to augment its security efforts, without a well conceived cyber security strategy that takes human error and other internal threats seriously, it'll all amount to a whole lot of smoke and mirrors.

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community