By Patrick Sullivan, CTO, Security Strategy at Akamai
Ransomware is the most common type of cyberattack used to leak financial data, according to a recent report by Rapid7. And with the financial services industry continuing to face such cyberthreats, the repercussions of these threats mean that the stakes have never been higher, creating the need for a more security-focused approach in this adapt-or-die industry.
IBM’s recent Cost of a Data Breach Report revealed the global average cost of data breaches has reached an all-time high of $4.35 million. This staggering rise is especially concerning for banks and other consumer-facing financial services organisations, as they navigate the challenge of keeping their customers’ finances safe by ensuring that those accessing funds, making transactions or taking our loans are who they claim to be.
In fact, that same IBM research showed that 83% of financial services organisations have experienced more than one breach in the last year, and those that are yet to implement robust verification measures to mitigate this, risk becoming one of these statistics. Our research backs this up, showing that more than half (58%) of British people reported receiving a scam attempt at least once per week in 2021. What’s more, 51% say they would switch banks if they were not reimbursed after falling victim to fraud.
The ever-evolving threat landscape means financial organisations must ensure their systems and customer data is protected. They can do this first by getting the basics right, and then looking at taking what’s called a ‘Zero Trust’ based approach for accurate and robust identity verification.
Limiting Initial Access
All financial service providers will have implemented various controls intended to prevent an intruder from gaining initial access to Corporate assets. In fact, many will have the best possible people, technology and process for preventing initial access. Despite these best efforts, research tells us that this reduces the likelihood of an incursion, but it won’t eliminate attackers gaining initial access at some point. This is where the zero-trust approach really comes into play. The goal of the Zero-Trust architecture is to ensure that even if an attacker successfully completes the early stages of an attack sequence, they are prevented from the more devastating later phases of an attack sequence which include moving across corporate assets working their way to crown jewels.
Zero Trust is the future of cybersecurity in financial services
Though the concept of Zero trust has become more popular across many sectors, many organisations are yet to reap the benefits of this approach. In fact, almost 80% of organisations don’t adopt zero trust strategies, resulting in average breach costs of $5.4 million, $1.17 million more compared to those that do.
Zero trust means what it sounds like: no one on a network is trusted. Users are given only the access that they require for their task, and the network is segmented to make it difficult for would-be attackers to move through the network in search of valuable data to steal. As such, financial services must leverage Zero trust capabilities in order to protect sensitive data and enforce “authorised only” access to information that is critical for security and compliance.
For example, if a cybercriminal were to gain access to a bank employee’s credentials through a phishing attack and successfully impersonated them within the bank’s network – this could leverage this access and the implicit trust afforded this user to work their way across corporate infrastructure to more sensitive assets. This could end-up putting thousands of customer’s finances at risk. Taking a Zero Trust based approach means that even if a hacker had access to an employee’s device, they would have a much harder time moving across the network to more sensitive assets.
Such Zero Trust technologies mitigate the widespread impact cyberthreats can have within an organisation. Not just this but Zero Trust technologies can also reduce a lot of the potential regulatory and network security headaches simply by removing implicit trust within an IT ecosystem and replacing it with a risk-based approach to accessing organisational resources.
The bottom line:
The ever-evolving threat landscape means financial organisations must rethink their security solutions to ensure their systems and data are fully protected. Traditional techniques that rely on detecting known threats or require employees to make the right judgement call leave organisations vulnerable to attacks that could compromise customer data – putting customers at risk and organisations’ reputations on the line. In this ever-evolving landscape, implementing Zero Trust solutions means financial organisations can be confident they are well-equipped to tackle the next generation of cyberattackers.
