How the Financial Industry Can Prepare for Cyber Threats of the Future
Written By: Yaser Ali
Share this post
As a financial institution, the time to plan for cyber threats of the future is now. Doing that effectively requires you to know what technologies can help you accomplish your goals and satisfy your customers, and also make sure that they are implemented securely by design. Planning for security from the start will help maintain your focus on efficiency and innovation, as opposed to incident response and retrofitting security measures that could have been more easily implemented if they were part of your original planning and design stages.
The Rise of New Technology
The most important changes to the threat landscape for financial institutions relate to the technologies financial institutions are adopting. Though these technologies are opening broad new frontiers for the services you can provide and the ways in which you can deliver them, they require clear thinking about how they affect your security posture. Everything from security architecture, to identifying potential third party security issues to having an effective security management program must be considered well in advance.
Increased Mobile Banking
Like many businesses, banks had to adapt quickly to the pandemic. Even though some services were moving to mobile and some customers were already embracing mobile banking, the shift from choosing not to go out to needing not to go out meant that banks accelerated the shift. Banks had to expand the capacities of the mobile services they already offered. They also had to move more of their premium services, like investment advice, to an online model. Instead of the checks that would happen in person, there need to be enough controls in place to conduct those transactions securely remotely. It also reveals the need for penetration testing of the software, systems, and networks that support these expanded electronic banking services, including any third-party platform, storage, telephony or analytics services.
Though much of the discussion around 5G has focused on the security of the protocols, financial institutions should also be concerned about how 5G can make it easier for attackers to obtain very large data sets. Organizations are storing more data than ever, but 5G is making it faster than ever to move that data from place to place. For attackers, this means performing high impact, high value data exfiltration via mobile devices is becoming more of a reality.
For you, it means security operations must keep pace. The incident identification cycle needs to be faster and more responsive in order to identify and respond to the attack before the damage has been done. Banks need to embrace intelligent solutions to aid even more effective monitoring and response, whilst ensuring infrastructure and applications are ruggedly penetration tested on a regular basis.
Internet of Things
Internet of Things (IoT) devices help make work easier, both internally and with clients. However, they open up several new avenues for data compromise.
Insecure IoT devices in financial institution offices can give attackers easier access to information in several ways. IoT devices that are not segmented away from networks with access to more sensitive data can be leveraged as pivot points, weak spots that attackers can use to delve deeper toward valuable data. In addition, attackers can use vulnerably configured IoT devices, such as microphones, screens, and smart speakers in boardrooms, to access sensitive secrets even as they are being spoken.
IoT is also reaching into work with clients. Common efforts for banks to be more cost-effective include consolidation of bank branches and the advent of the “Smart Branch.” In addition to traditional ATMs, Smart Branches use technology to provide customers with remote access to bankers, and a fuller suite of services without face-to-face meetings. As integral parts of customer transactions, these devices get access to sensitive information and become targets if not securely configured, networked, and maintained.
Security for the Future
Adopting new technology securely starts with a plan that prioritizes security by design, in both infrastructure and applications. This includes ensuring a sound governance structure exists to ensure new applications, infrastructure, and emerging technologies, such as IoT, are risk assessed and appropriately tested prior to deployment. From experience, I have noticed that application security teams at financial institutions tend to be more mature at this point than infrastructure security. However, with digital transformation happening so actively, secure design and ongoing security testing for infrastructure are more important than ever.
Building it in as early in the planning phase as possible means efficiency and cost savings. It builds a positive security culture from the beginning, a benefit for both employees and clients. More concretely, it avoids the need to go back and rebuild things due to findings from tests that should have been carried out earlier, or due to a security breach that could have been avoided.
When creating a security plan, consider the services you provide now, and the technology you need to provide them. Then, consider where you and your customers plan to go in the next one year, three years, five years, and on. This can give you a good idea of what security challenges you’ll be facing, and you can ensure security and governance plans are designed and updated to take these future plans into account. This especially includes plans for third-party management. Cloud services and platform-as-a-service offerings can help greatly to move a financial institution into the future, but third-party security management also opens up new avenues for cyber security risk.
Furthermore, be flexible and adaptable, as the technology and threat landscape is always changing. Your organization needs to be able to move quickly enough to preserve its security posture and to maintain its image as a leader rather than a follower. Projections can help you make the best plans you can, but as new technologies emerge, be ready to ask the tough questions about how those new developments will affect your security posture.
By planning, and including security in your plans throughout, you maintain more resources to focus on what you do best: serving your clients, innovating, and keeping your competitive edge.
Working with a Partner
Working with an experienced partner on your security program brings in a broader base of experience than you have in-house. A partner brings people to the table who have worked with companies at varying levels of security maturity, companies that have used a wide range of technologies, and individuals who have implemented various successful and proven security programs. They can get to know your business and what it wants to achieve and, thanks to that broad-based knowledge and experience, that partner can help your team be even more creative about what solutions can satisfy both your future goals and your security needs.
A partner such as Security Compass Advisory also has dedicated research and development teams that can provide deep insight on emerging technologies. They can harness their experience to develop new and innovative programs to secure your organization against new and emerging threats that relate to IoT, 5G, an expanding mobile workforce, or the next-generation bank branch.
From experience, we have also seen how we can enable better communication within your financial institution. I have worked with banks who have strong internal teams who are doing exciting work with both infrastructure and security, but they are often so siloed off that they’re not communicating with each other or joining up to solve common problems. The right security partner can help you see the bigger security picture, including bringing key security teams together and helping teams realize their potential.
Learn More about Staying Secure
When planning and executing a security program, choosing the right partner to help you implement that program and keep your business secure in the long term is one of the most important decisions you can make. To learn more about our experience in the financial sector, and how our collaborative approach to security may be right for you as you plan to adopt new technology, contact us today.
Yaser is a Director in Advisory servies, with over 16 years of experience in technology risk and cyber security. At Security Compass, he oversees various penetration testing engagements at two of Canadian’s biggest banks, including web application, API, mobile, IoT, Cloud and infrastructure engagements. Yaser spent almost a decade at one of the Big4 in London, UK within cyber security advisory and has also held roles at large financial institutions working in cyber security audit and third party management. This included planning and leading audits of security operations centres and of enterpise level cloud migration projects, where his focus was information security. Yaser has extensive experience in various sectors, especially financial services, energy and natural resources, and healthcare & life sciences. He has a passion for emerging technologies, process improvement and problem solving, and prides himself in enabling his clients to realise their technology and security objectives.