Chris Vaughan, Area VP – Technical Account Management EMEA, Tanium
When looking at the state of cybersecurity in organisations since the pandemic began, there is one industry that is lagging more than any other: banking. Research conducted earlier this year found that 86% of banking and finance businesses had experienced a cyberattack or data breach in the past 12 months – higher than any other industry surveyed.
One key issue holding large banks back centres around old IT infrastructure. Whilst organisations in other industries have embraced migration to the cloud, banks have been slower to do so. The reason? Many are using outdated IT infrastructure and systems which makes adopting cloud technology significantly more complicated, cost prohibitive, and there’s a reluctance to tackle the related data security challenges.
Addressing a lack of data visibility
The use of cloud services provides huge benefits for large organisations: most notably, the greater opportunities to increase the pace of operations and improve scalability.
However, a shift to the cloud can make securing data more challenging for IT teams – with sensitive data being shared over a broader online territory and no longer confined to physical ‘on-prem’ servers. In the cloud environment, achieving true data visibility – ascertaining what data you have and where it sits on the network – can be more difficult to achieve.
Organisations should also understand that the ultimate responsibility for managing data stored in the cloud sits with the organisation, not the cloud provider – so IT teams need to take accountability and ensure they have the right endpoint management tools in place to ensure data is accessible, safe, and secure. A valuable endpoint management tool will provide full visibility into the status of devices, applications and data points sitting across the cloud network – and flag vulnerabilities as they arise.
Follow FinTech to the cloud
With security paramount across the finance industry, data visibility needs to be front and centre of any IT infrastructure shift. All finance companies – from FinTech start-ups to legacy banks – share the same challenges regarding visibility in cloud IT infrastructure.
However, there is one key difference: FinTech companies are born in the cloud and don’t have old IT architecture and legacy systems to drag along, meaning they can build the network structure they want – and need – with a focus on data visibility from day one.
This doesn’t mean that traditional banks can’t reap the benefits too. They should look to FinTech organisations for examples of the value that moving to the cloud provides: from the opportunity to develop new business models, streamline operating procedures and costs, or add greater customer-centricity.
To keep things secure whilst shifting to the cloud, banks should embrace security tools that provide visibility across environments, users, and data sets. This can be facilitated by cloud-agnostic asset discovery and data monitoring solutions that help banks to simplify security amid the cloud migration process.
Consider data visibility across third-party software
Organisations should also consider the impact that third-party software, working within their cloud environment, has on their security posture. Many high-impact cyberattacks over recent years, including the recent NHS 111 outage, have originated from breaches of third-party software vendors – then paving the way for attackers to compromise the network.
Banks therefore need to ensure they are considering data visibility across their supply chains as part of their effort to manage their entire IT estate. Dependency on partners and suppliers – and a lack of visibility into the data they’re holding on behalf of the organisation – poses a real threat to banks, in part because there are more third-party vendors in their ecosystems today than ever before.
To tackle this challenge, IT teams need to first start by answering the following fundamental questions: Who are the suppliers? What is their security like? And how are they using our organisation’s data? Third-party vendors must be able to provide a comprehensive and accurate inventory of their IT assets to understand where data sits and where software vulnerabilities lie, and to apply patches in a timely manner to mitigate risks.
Where possible, banks should consider publicly listing the third-party software they use and its components – to provide transparency to customers with regard to how their data is stored and managed.
However, some suppliers would be reluctant to agree to this. As a result, there is a case for the industry to implement a regulatory framework. Just as banks force customers to share information to protect themselves from being used for money laundering or financing terrorist organisations, third-party suppliers could be made to report the components of their software. This would be similar to how food companies are obliged by both EU and local legislation to list the ingredients in their products.
Banks and credit institutions should act the same way with their software to avoid compromising the security of customers. In the US, many companies have already started tagging open-source code with component information, known as the ‘Software Bill of Materials’, and this approach should become mandatory for banks worldwide.
Banks also need to be held accountable for ensuring their suppliers meet a set of minimum security standards. Additional regulatory measures could require third-party suppliers to report the cyber-security protection they have in place (like the KYC approach) to help ensure defences remain strong across the industry. Only third-party providers who meet a certain security standard would be permitted to access the bank’s systems.
Ultimately, banking and finance teams need to prioritise data visibility to ensure that their customer’s money and sensitive information stored in the cloud remains safe. This should involve putting technology in place to ensure that issues can be detected in real-time, and threats can be responded to as quickly as possible – regardless of where they sit across the organisation’s cloud infrastructure.
