By Paul Darby, Regional Manager EMEA, Vidder
Over the last few months, a number of legislative and regulatory changes in relation to the threat of cyberattacks have been announced that will affect bank clearing housesin the UK. From May 2018 they will be required to complete regular cybersecurity reports, putting regulations more in line with EU directives around critical infrastructure. This follows the finalisation, in 2016, of a new Network and Information Security Directive (NIS) which sets out cybersecurity obligations, including incident reporting, for operators of essential services and digital service providers.
While there remains uncertainty over exactly how the NIS will impact firms operating in banking and financial services, the message is clear; cybersecurity presents an increasing risk and companies across the financial sector need to take it even more seriously as attacks become more sophisticated.
According to the Verizon 2017 Data Breach Investigations Report, 24% of all breaches are in the financial services industry. Despite the fact that cyberattacks are on the increase and there is considerably more attention given in the media to the risk of ransomware in particular, too many organisations are still using security solutions that were architected before the entrance of state sponsored attacks that can spread globally in days. The report claims that companies are choosing to accept the risk of an attack that will necessitate a ransom payment instead of investing in suitable security precautions.
Part of the difficulty in protecting against cyberattacks is that traditional security systems have become less able to protect today’s networks. Finance companies, like other enterprises, benefit from the digital revolution which allows employees, partners and customers to access information remotely and through a wide variety of devices. To keep this access secure, the solutions tend to focus on traditional network and perimeter chokepoints, forcing security managers to focus their resources on constantly tuning firewalls whilst maintaining larger access control lists with more complex access policies as networks grow in complexity. Yet once a device or user account has been compromised, predatory malware can migrate behind the perimeter and breach sensitive systems as witnessed with the recent Petya and WannaCry attacks.
But networks are moving into the cloud, which means that security processes need to change to match even more complex enforcement requirements, putting more pressure on security solutions and those who administer them.
Traditional network and endpoint security solutions are no longer enough to protect critical applications from untrusted users and devices, whether they are local or remote. With the exponential growth of access points, the control of access at the perimeter of the network is the most effective approach for the protection of data and critical services, yet the very notion of the perimeter is changing due to digitalization and IoT. Unless they can block untrusted users and devices from the larger and more complex network, security departments are forced to address breaches reactively, which is less efficient and more expensive, and gives hackers a first mover advantage.
One way to control access and address growing cyber threats is to put in place more advanced trust criteria. Trusted Access Control powered by software defined perimeter (SDP) and trust assessment technology,will allow banks, clearing houses, insurance companies and all other organisations with critical financial data, to secure their networks with a single layer of protection that combines access enforcement with trust assessment. Access is granted based on trust via application-specific tunnels which are opened to specific services after trust is determined.
The result is enhanced security with less complexity and cost, versus adding more layers of hardware that cannot combine trust assessment with enforcement and therefore reduce protection while further increasing operating demands and making compliance audits more difficult.
Trusted Access Control has some significant benefits in this new reality of complex networks and advanced attacks. It is scalable and suits hybrid, growing networks. It centrally manages secure access from device and user to a specific application based on trust.It enables very granular access policies based on both a user and a device profile that are taken at the time the specific access is requested. Another advantage is that Trusted Access Control can protect applications regardless of where they reside – on premise, in a hybrid cloud and even in a public cloud.
As the industry is forced to withstand increasingly damaging cyberattacks, the necessity to find a solution that allows organisations to move away from a reactive to a more proactive and powerful approach becomes even greater. Tightening up controls by making access to critical systems based on trust assessment could not only provide a transformation in protection levels but also deliver a key strategic advantage by reducing cost and complexity.