By Manuel Sanchez, Information Security & Compliance Specialist, iManage
The UK government’s Cyber Security Breaches Survey 2022 is overflowing with statistics that paint a concerning picture of just how challenging the threat landscape is for today’s companies, including those in the financial sector.
For starters, phishing is widespread: Of the 39% of UK businesses who identified a cyber security attack, the most common threat vector was phishing attempts (83%). Meanwhile, around one in five businesses experienced a more sophisticated attack type such as a denial of service, malware, or ransomware attack.
The National Cyber Security Centre and the Information Commissioner’s Office also observe that there is a rise in ransomware payments being made.
The reason that the financial services space remains a popular target for cyber criminals is because of the sensitive nature of the data they hold. According to the survey, the sector that is most likely to hold personal data about customers is finance and insurance (with an 85% likelihood of holding personal data, vs. 61% of businesses overall).
Does this mean that financial institutions should resign themselves to the inevitability of a data breach?
The answer, unfortunately, is yes. But there are steps that businesses can take to significantly lower the risk and impact from potential data breaches. One of these steps is taking a Zero Trust security approach as part of their digital transformation strategy.
The move to cloud
As it did with so many other aspects of life, COVID upended normal work patterns. Suddenly, people were working from home as often as they were from the office, and this instigated the move to cloud systems – for document management, project management, billing, and other workflows – so that data and the controls to secure that data could be accessible at any time, from any location.
This continued migration to cloud from on-premise systems has picked up so much momentum that Gartner reports that more than 85% of organisations are expected to embrace a cloud-first principle by 2025 – and any application that isn’t cloud will be viewed as a legacy application.
This shift towards cloud has also had a significant impact on the traditional security model, where the approach was to “secure the perimeter” and protect the corporate network against anything coming from the outside in. For the few workers who were working from home, the primary means of accessing corporate assets was via a VPN (virtual private network) that would let them connect to the corporate network.
One of the flaws of this approach is to automatically trust all users and devices once they are inside the perimeter. Not only does this put the business at risk from malicious internal actors but also allows external bad actors to take advantage of compromised accounts and wreak havoc once inside.
Relying on technologies like VPN to protect the infrastructure within the four walls of an office is no longer an option for the current times. Organisations should look to protect applications, assets, users, and devices, wherever they are. And with cloud applications allowing data to be accessible from anywhere, it is important to ensure employees can access sensitive files and data that they are allowed to access securely, without impacting their productivity.
A comprehensive security model
Taking a Zero Trust approach has never been more critical, as it offers higher levels of security with reduced complexity and operational overhead.
The premise of Zero Trust is to verify “everything, every time”, whether inside or outside the company network. Unlike older security models, which would verify user credentials just once at the point of entry, Zero Trust is based on the concept that no user is given implicit trust until their identity is verified – and every interaction is constantly verified throughout the user session to reduce risk.
If we take the example of a cloud-based document management system (DMS) used exclusively by Finance and Legal staff to manage sensitive content, a Zero Trust approach would ensure that access to, or even visibility of the DMS application, is limited to only those employees who are in the Finance and Legal teams and are authorised to view the data, with authorisations determined granularly – not just to file level, but also usage rights. For example, one user could be granted only viewing rights for a defined period of time, whilst another may be able to also edit. By implementing this level of need-to-know security, the damage a threat actor could achieve via lateral movement once inside the network can be significantly reduced.
A Zero Trust approach combines various technologies such as multifactor authentication (MFA), endpoint security, identity and access management (IAM) and device certification. These technologies can help to authenticate and validate users and devices across multiple cloud applications and internal systems.
This allows organisations to incorporate cloud applications into a standardised and robust security model, as well as taking advantage of all the benefits of migrating to the cloud, while increasing protection across their data.
Cloud requires Zero Trust
Zero Trust isn’t a “product” or a shiny new thing that will replace the existing security stack. Zero Trust is a journey, and it requires careful, patient planning. As the migration to the cloud continues, it will become increasingly critical for financial organisations to embark on their own Zero Trust journey sooner rather than later. If they don’t, they risk becoming just another statistic for next year’s cybersecurity report.
Why pay for news and opinions when you can get them for free?
Subscribe for free now!
NEWS3 days ago
B&Q owner Kingfisher cuts profit forecast as Poland, France drag
NEWS3 days ago
Novo Nordisk contracts South Africa’s Aspen to produce insulin for African nations
NEWS4 days ago
ECB to tackle excess liquidity in next stage of inflation fight -sources
NEWS4 days ago
Italy relies on GDP revisions to limit 2023 deficit rise -sources