Financial Services continues to be a sector that is discussed frequently in global cybersecurity discussions. As part of an ongoing perspective series, Fortinet’s Araldo Menegon shares some thoughts.
The FS industry continues to be a prime target given the size of the industry and the fact that it is deemed as critical infrastructure. Breaches in FSI not only return significant ROI’s, but also significant press and notoriety for the successful theft of financial related data (credit card numbers, social security or other government-issued ID information, drivers license, addresses, etc.) All can be exploited either directly (credit card numbers), or used to create false personas, or for ransom.
The issue of third-party vendors is also critical. The FS industry has multiple partners and third parties involved in the delivery of their services. This makes for a vast attack surface with many points of entry. Timely detection becomes an issue given the multitude of third parties Finally, FS as an industry has been around for a long time, and changes to the underlying infrastructure not only take time and money. Changes can actually pose as much risk as the existing infrastructure itself. This, however, does not mean that simple best practices such as frequent password changes, strength of passwords, and two-factor authentication cannot be implemented.
The challenge of finding and retaining cybersecurity talent is probably most acute in Financial Services. The competition between private sector, public sector, and the high tech industry is fierce. This war over obtaining talent is a serious gating factor impacting the speed of change.
Yes, BYOD and the expectation of 24/7 service and access have vastly increased the attack surface. Further, the move to entirely digital networks or machine-to-machine interfaces has vastly increased the amount of data being exchanged. While these changes increase availability and the convenience of interacting with financial data, it comes at a cost - more potential points that can be attacked and the removal of human oversight to quickly recognize malicious behavior.
Does the Financial Services market face greater cybersecurity risk as a result? Yes. The entire physical security model, designed around people and protecting people from other people (vaults, armored cars, security cameras, etc.), has to be re-examined and rethought for the digital world. The emergence of new tech start-ups that are challenging existing business models simply pose more challenges, along with generational changes and the new expectations of millennials, while still meeting the demands of the Gen-X era and retiring baby boomers.
1. Zero trust is a fundamental security design criteria, especially as it relates to third party vendors. It is important to recognize that many of the services delivered to you by your financial institution are actually provided by contracted third parties.
2. Given the size and scope of the financial services infrastructure and the trend towards virtualization, security via automated policy configuration and deployment that responds to network changes is an important requirement. This allows you to properly stay abreast of network changes and ensure that your cybersecurity is constantly aligned with your dynamic network infrastructure.
3. Timely, actionable threat intelligence becomes even more important – both to proactively stay ahead of malicious threats through the use of things like sandbox technology for updated threat signatures, and being able to quickly recognize a breach and mitigate the damage.
Regulatory and global compliance will be key drivers. Investments in compliance will be significant. Third party risk associated with partners and vendors has become a priority for US and EU regulators who are driving polices of increased monitoring and self certification. Automation of security and removing the human/manual element of updating security configurations and policies is the highest demand we see coming from our FS clients. True single pane of glass or the “God’s eye” view of your entire, integrated security architecture is the goal.