By Ian Jennings, Managing Director, BlueFort Security
Financial data is one of the most prized targets for cyber criminals. This makes any organisation collecting, processing and storing financial data on any scale a target for attackers. Even relatively simple attacks – as in the case of the distributed denial of service (DDoS) attack against the New Zealand stock exchange – can take operations down completely. However, for large financial services firms the threat against this data is growing larger, more complex and increasingly sophisticated by the day.
The cyber threat landscape has changed dramatically over the course of the pandemic and many UK financial services firms have felt the squeeze. A recent report from the Ponemon Institute commissioned by Keeper Security revealed the majority of organisations in the UK financial sector suffered cyber-attacks in 2020 – driven primarily by attackers targeting employees working remotely. Security leaders in these organisations fear the worst – 41% are concerned remote workers are putting their organisation at risk of suffering a significant data breach.
Thinking strategically with Zero Trust
There’s no doubt the massive shift to remote work has created new vulnerabilities for criminals to exploit, but IT security teams do have a strategy available that will help counter these exploits: Zero Trust.
A Zero Trust strategy works by limiting privileges and access for users and devices until their identity and legitimacy can be verified first – even if they are already on the network. Rather than assuming trust for anything that has successfully logged onto the network, a Zero Trust strategy verifies and re-verifies users and devices each time they attempt to access different parts of the network.
A well-implemented Zero Trust strategy offers a layer (or, in reality, multiple layers) of additional security against many types of attack. Brian Kime, Senior Analyst at Forrester, recently pointed out the importance of looking at Zero Trust in response to the ransomware attack on the US Colonial Pipeline. Discussing the fragility of most IT systems in the face of these attacks, Kime explains that – despite myths – a Zero Trust strategy is neither costly nor complex to deploy.
The net result of remote working
Security concerns around remote working in the UK financial sector are well-founded, given the speed at which nearly all organisations in the sector were required to deploy a remote workforce and the pressure IT teams were under to maintain operations. Recent Trend Micro research revealed that remote workers often engage in more risky behaviour at home than when they’re at the office. Combine this with a surge in COVID-19 phishing emails and a swathe of shared or unsecured personal devices and you have a perfect storm of risk.
The net result today for many UK financial organisations is a huge concern for malware-infected endpoint and IoT devices, insecure network access and compromised credentials leading to identity-based attacks. Indeed, the 2020 Zero Trust Endpoint and IoT Security report from Pulse Secure – which explored how enterprises are advancing Zero Trust endpoint and IoT security capabilities within their individual organisation – found that 72% of organisations experienced an increase to significant increase in endpoint and IoT security due to workforce mobility and remote workplace flexibility.
It’s all about the data
A Zero Trust approach allows an organisation to defend itself against identity-based attacks. In its simplest form, it acts as a layered security approach that assumes an attacker will breach the corporate network. Instead of prevention, a Zero Trust architecture acts as a guardian against lateral movement once an attacker is inside the corporate network. When deploying a visibility and access control strategy like Zero Trust, financial services organisations should consider three key building blocks:
- Validation – of users and their devices’ security posture
- Control – of access through granular policy enforcement
- Protecting and encrypting data transactions
In the new mobile world of work – with many employees working remotely – it is crucial that IT security teams focus on the data. Data moves with endpoints and this makes them attractive targets for cyberattacks. Security policy, therefore, must move with users and data and should not be tied to a particular location. Just as endpoint security products secure and collect data on the activity that occurs on endpoints, network security products do the same for networks. To effectively combat advanced threats, both need to work together. An integrated approach that combines endpoint and network security is the only way to achieve end-to-end protection across your entire security architecture.
And finally: get your users on board
User experience can often fall far down the priority list when it comes to IT security, but it should be seen as a crucial factor in long-term security posture. A Zero Trust strategy should incorporate a positive user experience while it enforces policy compliance across employees, guests and third-party users – regardless of location, device type, or device ownership. Users enjoy greater productivity and the freedom to work anywhere without sacrificing access to authorised network resources and applications.
A Zero Trust strategy may seem like an unachievable goal, but it isn’t. Fundamentally, it’s about achieving a state of continuous verification and authentication throughout the network, with centralised policy enforcement and a seamless experience for users. This ensures any device – whether that’s a company-issued laptop, an employee’s personal tablet or a stray IoT device – can only connect to authorised applications on the corporate network in a compliant manner. In the case of attack, Zero Trust can help contain the breach, limit the damage and significantly speed up an organisation’s path to recovery.
