Cyberattacks: Zero Trust In The Finance Industry
Andrew Williams, cyber security expert at Mimecast, explores the pros and cons of implementing a zero trust approach in the finance industry.
The finance sector is extremely vulnerable to the rising number of cyberattacks, with The 2021 Cybersecurity Census Report finding that finance companies in the UK suffered an average of 60 cyberattacks in the last year. The number of these attacks continues to increase, and finance companies need to employ strategies to keep their data and networks secure from attackers.
For obvious reasons, the finance sector is an advantageous target for cybercriminals, due to the wealth of data contained within these organisations and the fact that attacks can target banks processing systems to disrupt critical financial transactions. Nonetheless, the volume and severity of the attacks we’re seeing is cause for immediate action, with mid-sized financial services organisations worldwide spending an average of over $2m recovering from ransomware attacks.
Aside from causing disruptions to financial services capabilities and potentially substantial financial losses, financial services organisations that are victims of a cyberattack also stand to suffer significant reputational damage. For example, recent Mimecast research found that consumers think that brands should be responsible for compensating victims of scams, with 39% of consumers saying that not taking responsibility for potential customers being deceived would put them off the brand. Notably, 65% of UK consumers would stop spending money with their favourite brand if they fell victim to a phishing attack involving that brand. This is increasingly important for the financial sector, as online banking is the second most trusted sector by consumers in the UK, but is the most leveraged sector for cybercrime, with 28% of consumers receiving phishing emails from brands in this sector.
The key here is to move at pace, and employ a security model which helps organisations control access to their networks, applications, and data, enabling the financial services sector to remain secure in the face of sophisticated attacks.
The ‘New And Improved’ Cybercriminal
The pandemic has driven more criminals online, as they have adapted to the new remote/hybrid working world by exploiting improperly secured VPNs, cloud-based services, and unprotected emails. Inevitably, external data breaches are now a matter of when and not if. On top of this, a recent report found that the LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks.
These criminals invest a lot of time in researching organisations and employees, asking questions such as: has someone been passed over for a promotion? Is someone being underpaid? Has someone received a negative performance review? Using this research, and spam/phishing attacks, criminals identify weaker links for exploitation. Criminals are then in contact with corporate insiders, asking them to install ransomware, collect information, plant malware etc. This is creating a perfect storm for many financial services companies.
The Zero Trust Model
With this combination of internal and external threats and the risks of significant financial and reputational damage increasing, the financial sector might fear it is fighting a losing battle. But there is a model that can be adopted to keep their data and networks secure from attackers: Zero Trust.
The Zero Trust model is founded on a simple idea, “trust no one and nothing,” this essentially means that the zero-trust security framework gets rid of concepts such as trusted devices and trusted users. In practical terms, organisations that adopt the Zero Trust model put policies in place to verify everyone and everything, regardless of whether they are internal or external. The model provides a mechanism to secure new ways of working in the cloud while combating the risk of an insider breach. The application of a Zero Trust model is especially important when it comes to insider threats since it is this trust that hackers seek to exploit.
Zero Trust is a great way to address the challenges caused by the rapid transition to an increase in cloud spend and remote working, as it removes implied trust, with each access request needing to be verified, based upon strong authentication, authorisation, device health, and value of the data being accessed. This is one of the most effective ways for organisations to control access to their networks, applications, and data, leading to more security for the enterprise.
Making It Seamless
One factor that must be taken into account is that, in order to be successful, the integration of zero trust systems must be as seamless as possible, otherwise complexity is re-introduced into the enterprise. Organisations need integrated solutions that optimise their current and future state of security. Avoid solutions that operate in isolation, and instead opt for platforms that integrate to form an ecosystem to improve visibility, enhance control and provide a robust set of orchestration capabilities. Ultimately, zero-trust security is more of a security model than any one tool, making it difficult to implement, especially when the infrastructure it’s being applied to wasn’t designed for new models, as there is no simple way to retrofit some systems for zero trust. For example, as a basic requirement, zero trust relies on multi-factor authentication, which many financial services may not currently have in place.
As well as this, the financial service industry has not fully migrated to cloud solutions and large amounts of technical debt have been incurred over the years of deploying new applications coupled with digitalisation. With more than 90% of the UK’s financial firms still relying on legacy tech, business-critical information is currently continually stored on out of date software. This equipment is often not compatible with up to date software and provides several opportunities for “backdoor” access. Companies that use older legacy applications may have trouble implementing them on zero-trust networks and for this new solution to be effective, companies will also need to invest in employee training. Training for employees alongside new security solutions is the only way to minimise human error, raise awareness and truly increase cyber-hygiene across a whole organisation.
While it's a long process, which may require the replacement of legacy equipment, and which demands inward reflection and internal reshaping, the finance sector needs to make cybersecurity a top priority. Otherwise, there is a real risk that even unsophisticated cyberattacks will cause serious damage and undermine organisations. Using new types of tools and capabilities, such as the zero-trust model, the finance sector can have a safer framework in place to help organisations tackle persistent security challenges, as well as mass remote working, allowing financial services to stay protected regardless of what comes next.