By Martin Ward, Director, Security Governance Risk and Compliance, iManage
Sensitive data is the coin of the realm for financial services firms. Unfortunately, this makes them a prime target for bad actors of every stripe who are looking to get their hands on that data.
A recent security report indicates that cyber-attacks continue to plague the financial services sector, with ransomware attacks making up a vast portion of the reported security incidents. Meanwhile, at a gathering earlier this year of the chief executives of the six largest banks in the United States, cybersecurity was named as the greatest threat to their companies and the wider financial system.
Given this unforgiving landscape, how can firms best mitigate and guard against the persistent threats to their data?
Understanding Where Risk Actually Lies
One of the first steps firms should take is to carefully scrutinise the cloud services they’re utilising. That’s because as more and more financial services firms have embraced the cloud, a transference of risk has occurred: out of the organisation to the cloud vendor, with the cloud vendor responsible for the lion’s share of security controls.
The bad guys are aware of this shift, and they’re adjusting their attack methodologies accordingly, to focus on the weak links in the supply chain. For instance, how are IT services being delivered? What platforms are being leveraged? Who’s providing IT support for the service?
By taking the time to understand the ins-and-outs of those IT services and where the weak points are, bad actors have a better chance of successfully targeting the sensitive data that the services manage. Incidentally, this is the same general strategy that was employed in the SolarWinds hack earlier this year that targeted government agencies and Fortune 500 companies alike.
Since 85% of all data breaches involve some type of social engineering or human element, the ability of a cloud vendor to mitigate against that element is one of the most important areas. Clouds that are built around a Zero Trust model are – to a large extent – able to engineer out this human element. A Zero Trust framework assumes absolutely no level of trust, whether that’s trust of networks, trust between host and applications, or even trust of super users or administrators.
The effectiveness of this Zero Trust framework, however, is dependent upon it also incorporating a Zero Touch approach. Zero Touch uses automation to take the human out of the equation for everything from routine server maintenance and patching, to more advanced troubleshooting.
This “hands off” approach ensures that no human actually has hands-on access to sensitive data, helping to “automate out” the weakest link – and giving financial services firms greater confidence that the service they’re utilising on a daily basis is secured at the highest possible levels.
Safeguarding Remote Work
The risk that the “human element” presents isn’t limited to the cloud vendors that financial services utilise. Financial services firms also need to make sure they’re protecting against any intentional or unintentional damage that the consumers of those cloud services – their employees – might potentially cause.
Mitigating this element has become considerably more difficult over the last 18 months since large numbers of those employees have been working remotely, outside the four walls of the firm, which greatly increases the risk level.
For starters, home networks are inherently more insecure than corporate networks. They simply don’t have the same security controls in place – which means the likelihood of some type of malware getting on that home network and then providing a backdoor into the corporate environment increases. In fact, users are three and a half times more likely to have malware on their home PC’s than on their office devices. All it takes is one wrong click on a carefully crafted spear phishing email or text message for malware to propagate across the system.